WO2021056731A1 - Log data analysis-based behavior detection method, apparatus, device, and medium - Google Patents

Log data analysis-based behavior detection method, apparatus, device, and medium Download PDF

Info

Publication number
WO2021056731A1
WO2021056731A1 PCT/CN2019/117530 CN2019117530W WO2021056731A1 WO 2021056731 A1 WO2021056731 A1 WO 2021056731A1 CN 2019117530 W CN2019117530 W CN 2019117530W WO 2021056731 A1 WO2021056731 A1 WO 2021056731A1
Authority
WO
WIPO (PCT)
Prior art keywords
functional node
access
combination
log data
frequency
Prior art date
Application number
PCT/CN2019/117530
Other languages
French (fr)
Chinese (zh)
Inventor
秦威
王智浩
杨冬艳
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2021056731A1 publication Critical patent/WO2021056731A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3636Software debugging by tracing the execution of the program
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/362Software debugging
    • G06F11/3644Software debugging by instrumenting at runtime
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/32User authentication using biometric data, e.g. fingerprints, iris scans or voiceprints
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Definitions

  • This application relates to the technical field of security protection, and in particular to a behavior detection method, device, equipment, and medium based on log data analysis.
  • the isolated forest algorithm is usually used to detect whether the user behavior is abnormal.
  • the isolated forest algorithm has extremely high requirements on the number of samples, the samples are not easy to obtain.
  • the isolated forest algorithm only corrects the number of visits. User behavior detection is low accuracy.
  • a behavior detection method based on log data analysis includes: when a behavior detection instruction is received, the first log data of each functional node of the person to be detected in a preset system is obtained through the burying technique; according to the First log data, calculate the first visit frequency of each functional node of the person to be tested; call the target visit frequency of each functional node; compare the first visit frequency of each functional node with the target of each functional node Access frequency; when the first access frequency of a functional node is greater than the target access frequency, determine the order of access to the functional node by the person to be detected from the first log data; establish the access sequence based on the access sequence The first queue of the functional node; split the first queue to obtain the first combination for the person to be tested to access the functional node; retrieve the pre-configured reference combination; combine the first combination with the The benchmark combination is matched; when there is a combination failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
  • a behavior detection device based on log data analysis comprising: an acquisition unit, configured to obtain the first log of each functional node of a person to be detected in a preset system through a point-buried technique when a behavior detection instruction is received Data; a calculation unit, used to calculate the first access frequency of each functional node of the person to be tested according to the first log data; a retrieval unit, used to retrieve the target access frequency of each functional node; comparison Unit, used to compare the first access frequency of each functional node with the target access frequency of each functional node; determining unit, used to read from the first log when the first access frequency of the functional node is greater than the target access frequency
  • the data determines the order in which the person to be tested visits the functional node; the establishment unit is configured to establish the first queue of the functional node based on the access order; the splitting unit is configured to split the first queue The queue is used to obtain the first combination of access to the functional node by the person to be tested; the call unit is also used to call a pre-configured reference combination;
  • An electronic device comprising: a memory storing at least one instruction;
  • the processor executes the instructions stored in the memory to implement the behavior detection method based on log data analysis.
  • a non-volatile readable storage medium stores at least one instruction, and the at least one instruction is executed by a processor in an electronic device to implement the log data analysis-based Behavior detection methods.
  • Fig. 1 is a flowchart of a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
  • Fig. 2 is a functional module diagram of a preferred embodiment of a behavior detection device based on log data analysis according to the present application.
  • FIG. 3 is a schematic structural diagram of an electronic device implementing a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
  • FIG. 1 it is a flowchart of a preferred embodiment of the behavior detection method based on log data analysis of the present application. According to different needs, the order of the steps in the flowchart can be changed, and some steps can be omitted.
  • the behavior detection method based on log data analysis is applied to one or more electronic devices.
  • the electronic device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions.
  • Hardware includes, but is not limited to, microprocessors, application specific integrated circuits (ASICs), programmable gate arrays (Field-Programmable Gate Array, FPGA), digital processors (Digital Signal Processor, DSP), embedded devices, etc. .
  • the electronic device may be any electronic product that can perform human-computer interaction with the user, such as a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
  • a personal computer a tablet computer
  • a smart phone a personal digital assistant (PDA)
  • PDA personal digital assistant
  • IPTV interactive network television
  • smart wearable devices etc.
  • the electronic device may also include a network device and/or user equipment.
  • the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of hosts or network servers based on cloud computing.
  • the network where the electronic device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), etc.
  • the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
  • the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
  • the first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
  • the preset system is a business system corresponding to the work content of the person to be tested.
  • the functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
  • the first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
  • the acquisition of the first log data of each functional node of the person to be detected in the preset system by using the point burying technology includes:
  • the electronic device obtains the access behavior of the person to be detected on each functional node and the first access time when the access behavior occurs through the embedded point technology. Further, the electronic device records the access behavior and The first access time obtains the first log data of each functional node.
  • the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
  • the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
  • the first log data can be quickly and accurately obtained, thereby facilitating the calculation of the frequency of visits to each functional node by the person to be tested.
  • S11 Calculate the first visit frequency of each functional node of the person to be inspected according to the first log data.
  • the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
  • the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
  • the electronic device calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
  • the electronic device determines the corresponding access identifier when accessing each functional node. Further, the electronic device adopts the non-determinism Finite Automate (NFA) matching principle, from the first log data Each access identifier is identified in the, and the number of each access identifier in the unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
  • NFA Finite Automate
  • the electronic device acquires the access identifier of the functional node A as jiediana, and further, the electronic device recognizes from the first log data that the number of jiediana in one hour is 10, therefore, The first access frequency of the functional node A is 10 times/hour.
  • the frequency of visits to each functional node of the person to be detected can be accurately calculated.
  • the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
  • the method before calling the target access frequency of each functional node, the method further includes:
  • the electronic device obtains the frequency of at least one user's access to each functional node as the second access frequency, and performs normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node, from The third access frequency satisfying the 99.7 rule is obtained from the normal distribution curve, and the third access frequency with the highest frequency is determined as the target access frequency.
  • the electronic device confirms the third most frequent visit frequency of 25 times/hour as the target visit frequency of the functional node A.
  • the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
  • the second access frequency is the frequency at which the at least one user accesses each functional node.
  • the frequency of user C's access to the functional node A is 10 times/hour
  • the frequency of user D's access to the functional node A is 8 times/hour
  • the second visit frequency of user C to the functional node A is 10 Times/hour
  • the second visit frequency of user D to the functional node A is 8 times/hour.
  • the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
  • the electronic device after comparing the first access frequency of each functional node with the target access frequency of each functional node, the electronic device obtains a comparison result, and the comparison result may include any of the following :
  • the first access frequency of a functional node is greater than the target access frequency.
  • the first access frequency of each functional node is less than the target access frequency.
  • the first visit frequency of the person under test A to visit the functional node A is 3 times/hour
  • the first visit frequency to visit the functional node B is 100 times/hour
  • the first visit frequency to visit the functional node C A visit frequency is 4 times/hour
  • the target visit frequency of the functional node A called by the electronic device is 8 times/hour
  • the target visit frequency to visit the function node B is 10 times/hour.
  • the target access frequency of the functional node C is 12 times/hour
  • the electronic device compares the first access frequency of each functional node with the target access frequency of each functional node, and obtains that the comparison result is that there is a functional node B
  • the first visit frequency is greater than the target visit frequency.
  • the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
  • the access sequence refers to the sequence in which the person to be detected accesses the functional node.
  • the electronic device determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
  • the electronic device uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes according to the order of the access time to obtain the access sequence of the functional nodes.
  • the electronic device sorts the function nodes according to the order of access time, and obtains that the order of access of the function nodes is first to visit the function node A, and then to the function node B , And finally visit the functional node C.
  • S15 Establish a first queue of the functional node based on the access sequence.
  • the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
  • the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
  • the first combination is obtained by sequentially splitting the first queue.
  • the splitting of the first queue by the electronic device to obtain the first combination for the person to be inspected to access the functional node includes:
  • the electronic device obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the to-be-detected The first combination of personnel visiting the functional node.
  • the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
  • the first queue is ABCDEF
  • the number of configuration nodes acquired by the electronic device is 2
  • the number of configuration nodes 2 is used as the number of nodes in each combination, and all the nodes in the first queue are sequentially split Functional node
  • the first combination obtained by splitting includes AB, BC, CD, DE, and EF.
  • the number of configuration nodes acquired by the electronic device is 3
  • the number of configuration nodes 3 is used as the number of nodes in each combination Count
  • split all the functional nodes in the first queue in turn and the first combination obtained by splitting includes ABC, BCD, CDE, DEF.
  • the first combination of the persons to be detected can be directly obtained.
  • the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
  • the electronic device establishes a target set before calling a pre-configured reference combination.
  • establishing the target set by the electronic device includes:
  • the electronic device Acquiring, by the electronic device, second log data of the at least one user accessing each functional node in the preset system, and extracting the access sequence of the at least one user to the functional node from the second log data, Further, the electronic device obtains the number of target nodes, uses the number of target nodes as the number of nodes in each combination, and sequentially splits the access sequence to obtain the first access sequence of the at least one user to the functional node
  • the second combination according to the second log data, calculate the second access frequency of each second combination in the second combination, and arrange the second combination according to the second access frequency from high to low to obtain
  • the second queue integrates the combinations before the configuration bits in the second queue to obtain the target set.
  • the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
  • the configuration position may be 50 or 100, which is not limited in this application.
  • the target set can be obtained, which is convenient for the electronic device to retrieve the reference combination as needed.
  • the electronic device extracting the access sequence of the at least one user to the functional node from the second log data includes:
  • the electronic device obtains the target access time for the at least one user to access each functional node from the second log data, and further, the electronic device sorts the functional nodes according to the target access time to obtain The access sequence of the at least one user to the functional node.
  • the method further includes:
  • the electronic device updates the second log data, and updates the reference combination according to the updated second log data.
  • the second preset time may be a time period, which is not limited in this application.
  • the electronic device after matching the first combination with the reference combination, the electronic device obtains a matching result, and the matching result may include any one of the following:
  • the first combination is AD, BC, CD, DE, EF
  • the reference combination is AB, BC, CD, DE, EF.
  • the first combination there is a failure to match AD with the reference combination.
  • the method further includes:
  • the electronic device obtains the first functional node with the first access frequency greater than the target access frequency, and determines whether the first functional node belongs to the target function Node, wherein the data corresponding to the target function node contains confidential information, and when the first function node belongs to the target function node, it is determined that the behavior of the person to be detected is abnormal.
  • the method further includes:
  • the electronic device controls the access authority of the person to be detected to the preset system.
  • the method further includes:
  • the electronic device obtains the first face information of the person to be detected from the monitoring device. Further, the electronic device extracts the target account for logging in to the preset system from the first log data, and obtains it from the configuration
  • the target face information corresponding to the target account is retrieved from the database, and face recognition technology is used to determine whether the first face information matches the target face information. When the first face information matches the target face information, When the facial information matching fails, the access authority of the person to be detected to the terminal device corresponding to the target facial information is controlled.
  • the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
  • the configuration library includes target face information of the at least one user.
  • the method further includes:
  • the electronic device When it is determined that the behavior of the person to be detected is abnormal, the electronic device generates alarm information, and sends the alarm information to the configuration device of the designated contact.
  • the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
  • the designated contact person may include a user who triggers a behavior detection instruction, and the like.
  • an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
  • this application can obtain the first log data of each functional node of the person to be detected in the preset system through the burying technique when the behavior detection instruction is received, and according to the first log data, Calculate the first visit frequency of each functional node of the person to be tested, call the target visit frequency of each functional node, compare the first visit frequency of each functional node with the target visit frequency of each functional node, when there is When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data, and establish the first access sequence of the functional node based on the access sequence.
  • Queue split the first queue, obtain the first combination for the person to be tested to access the functional node, call a pre-configured benchmark combination, and match the first combination with the benchmark combination,
  • a combination matching failure in the first combination it is determined that the behavior of the person to be detected is abnormal, and the abnormal behavior can be detected more comprehensively and accurately by combining the access frequency and sequence of the functional nodes, and then remind Relevant personnel, thereby avoiding information leakage.
  • the behavior detection device 11 based on log data analysis includes an acquisition unit 110, a calculation unit 111, an retrieval unit 112, a comparison unit 113, a determination unit 114, an establishment unit 115, a split unit 116, a matching unit 117, a processing unit 118, The extraction unit 119, the arrangement unit 120, the integration unit 121, the judgment unit 122, the control unit 123, the update unit 124, the generation unit 125, and the transmission unit 126.
  • the module/unit referred to in this application refers to a series of computer-readable instruction segments that can be executed by the processor 13 and can complete fixed functions, and are stored in the memory 12.
  • the acquiring unit 110 acquires the first log data of each functional node of the person to be detected in the preset system by using the point burying technique.
  • the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
  • the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
  • the first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
  • the preset system is a business system corresponding to the work content of the person to be tested.
  • the functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
  • the first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
  • the acquiring unit 110 acquires the first log data of each functional node of the person to be tested in the preset system by using the point-buried technology includes:
  • the acquisition unit 110 acquires the access behavior of the person to be detected on each functional node and acquires the first access time when the access behavior occurs through the burying technique. Further, the acquisition unit 110 records the access The behavior and the first access time are used to obtain the first log data of each functional node.
  • the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
  • the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
  • the first log data can be quickly and accurately obtained, thereby facilitating calculation of the frequency of visits to each functional node by the person to be tested.
  • the calculation unit 111 calculates the first visit frequency of each functional node of the person to be inspected.
  • the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
  • the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
  • the calculation unit 111 calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
  • the calculation unit 111 determines the corresponding access identifier when accessing each functional node. Further, the calculation unit 111 adopts the non-determinism Finite Automate (NFA) matching principle, from the first Each access identifier is identified in the log data, and the number of each access identifier per unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
  • NFA Finite Automate
  • the computing unit 111 acquires the access identifier of the functional node A as jiediana, and further, the computing unit 111 recognizes from the first log data that the number of jiediana in one hour is 10, so , The first access frequency to the functional node A is 10 times/hour.
  • the frequency of visits to each functional node of the person to be detected can be accurately calculated.
  • the retrieval unit 112 retrieves the target access frequency of each functional node.
  • the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
  • the acquiring unit 110 acquires the frequency of at least one user's access to each functional node as the second access frequency. Further, the processing unit 118 performs normal distribution processing on the second access frequency of each functional node to obtain each functional node Further, the obtaining unit 110 obtains a third access frequency satisfying the 99.7 rule from the normal distribution curve, and the determining unit 114 determines the third access frequency with the highest frequency as the target access frequency.
  • the expected value for the at least one user to access the functional node A is 20 times/hour, and 99.7% of the at least one user visits the functional node A with a third visit frequency ranging from 15 times/hour to 25 Times/hour, therefore, the determining unit 114 confirms the third visit frequency with the highest frequency of 25 times/hour as the target visit frequency of the functional node A.
  • the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
  • the second access frequency is the frequency at which the at least one user accesses each functional node.
  • the frequency of user C's access to the functional node A is 10 times/hour
  • the frequency of user D's access to the functional node A is 8 times/hour
  • the second visit frequency of user C to the functional node A is 10 Times/hour
  • the second visit frequency of user D to the functional node A is 8 times/hour.
  • the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
  • the comparison unit 113 compares the first access frequency of each functional node with the target access frequency of each functional node.
  • the obtaining unit 110 after comparing the first access frequency of each functional node with the target access frequency of each functional node, obtains a comparison result, and the comparison result may include any one of the following Species:
  • the first access frequency of a functional node is greater than the target access frequency.
  • the first access frequency of each functional node is less than the target access frequency.
  • the first visit frequency of the person under test A to the functional node A is 3 times/hour
  • the first visit frequency of the functional node B is 100 times/hour
  • the first visit frequency of the functional node C is 100 times/hour.
  • a visit frequency is 4 times/hour
  • the retrieved target visit frequency of the function node A is 8 times/hour
  • the target visit frequency to visit the function node B is 10 times/hour
  • the target visit frequency of C is 12 times/hour
  • the comparison unit 113 compares the first visit frequency of each functional node with the target visit frequency of each functional node, and the comparison result is that there is the first visit of functional node B
  • the frequency is greater than the target visit frequency.
  • the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
  • the determining unit 114 determines the order in which the person to be detected visits the functional node from the first log data.
  • the access sequence refers to the sequence in which the person to be detected accesses the functional node.
  • the determining unit 114 determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
  • the determining unit 114 uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes in the order of the access time to obtain the access sequence of the functional nodes .
  • the function nodes are sorted according to the order of access time, and the access order of the function nodes is obtained by first visiting the function node A, then visiting the function node B, and finally visiting all the function nodes.
  • the function node C it is obtained from the first log data that the access time of the functional node A is 7 o'clock this morning, the access time of the functional node B is 7:30 this morning, and the access time of the functional node C is At 8 o’clock this morning, further, the function nodes are sorted according to the order of access time, and the access order of the function nodes is obtained by first visiting the function node A, then visiting the function node B, and finally visiting all the function nodes. The function node C.
  • the establishment unit 115 Based on the access sequence, the establishment unit 115 establishes the first queue of the functional node.
  • the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
  • the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
  • the splitting unit 116 splits the first queue to obtain the first combination for the person to be tested to access the functional node.
  • the first combination is obtained by sequentially splitting the first queue.
  • the splitting unit 116 splits the first queue, and obtains the first combination for the person to be tested to access the functional node, including:
  • the splitting unit 116 obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the The first combination for the person to be tested to visit the functional node.
  • the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
  • the first queue is ABCDEF
  • the number of configuration nodes acquired by the splitting unit 116 is 2, the number of configuration nodes 2 is used as the number of nodes in each combination, and the first queue is sequentially split
  • the first combination obtained by splitting includes AB, BC, CD, DE, and EF. If the number of configuration nodes acquired by the splitting unit 116 is 3, the number of configuration nodes 3 is used as each
  • the number of combined nodes is divided into all functional nodes in the first queue in turn, and the first combination obtained by the division includes ABC, BCD, CDE, and DEF.
  • the first combination of the persons to be detected can be directly obtained.
  • the retrieval unit 112 retrieves a pre-configured reference combination.
  • the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
  • the target set is established before the pre-configured benchmark combination is retrieved.
  • establishing the target set includes:
  • the acquiring unit 110 acquires the second log data of the at least one user's access to each functional node in the preset system, and the extracting unit 119 extracts the at least one user's response to the functional node from the second log data. Further, the acquiring unit 110 acquires the number of target nodes, and the splitting unit 116 uses the number of target nodes as the number of nodes in each combination to sequentially split the access sequence to obtain the at least According to the second log data, the calculation unit 111 calculates the second access frequency of each second combination in the second combination, and the arrangement unit 120 calculates the second combination of access to the functional node by a user. The second combination is arranged according to the second access frequency from high to low to obtain a second queue, and the integration unit 121 integrates the combinations before the positions in the second queue to obtain the target set.
  • the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
  • the configuration position may be 50 or 100, which is not limited in this application.
  • the target set can be obtained, so that the retrieval unit 112 can retrieve the reference combination as needed.
  • the establishment unit 115 extracting the access sequence of the at least one user to the functional node from the second log data includes:
  • the establishing unit 115 obtains the target access time of the at least one user to each functional node from the second log data, and further, the establishing unit 115 sorts the functional nodes according to the target access time To obtain the access sequence of the at least one user to the functional node.
  • the update unit 124 updates the second log data every second preset time, and the update unit 124 updates the reference combination according to the updated second log data.
  • the second preset time may be a time period, which is not limited in this application.
  • the matching unit 117 matches the first combination with the reference combination.
  • the obtaining unit 110 after matching the first combination with the reference combination, obtains a matching result, and the matching result may include any one of the following:
  • the first combination is AD, BC, CD, DE, EF
  • the reference combination is AB, BC, CD, DE, EF.
  • the first combination there is a failure to match AD with the reference combination.
  • the acquiring unit 110 acquires the first functional node whose first access frequency is greater than the target access frequency
  • the judging unit 122 judges whether the first functional node belongs to the target functional node, wherein the data corresponding to the target functional node contains confidential information, and when the first functional node belongs to the target functional node, the determining unit 114 It is determined that the behavior of the person to be detected is abnormal.
  • the determining unit 114 determines that the behavior of the person to be detected is abnormal.
  • the control unit 123 controls the behavior of the person to be detected on the preset system access permission.
  • the acquiring unit 110 acquires the first face information of the person to be detected from the monitoring device, and further, the extraction The unit 119 extracts the target account that logs in to the preset system from the first log data, the retrieval unit 112 retrieves the target face information corresponding to the target account from the configuration library, and the judgment unit 122 uses The face recognition technology determines whether the first face information matches the target face information, and when the first face information matches the target face information, the control unit 123 controls the waiting Detecting personnel's access authority to the terminal device corresponding to the target face information.
  • the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
  • the configuration library includes target face information of the at least one user.
  • the generating unit 125 after determining that the behavior of the person to be detected is abnormal, when it is determined that the behavior of the person to be detected is abnormal, the generating unit 125 generates alarm information, and further, the sending unit 126 transmits the The alert information is sent to the configuration device of the designated contact.
  • the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
  • the designated contact person may include a user who triggers a behavior detection instruction, and the like.
  • an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
  • the present application can detect abnormal behaviors more comprehensively and accurately by combining the access frequency and access sequence of the functional nodes, and then alert relevant personnel to avoid information leakage.
  • FIG. 3 it is a schematic structural diagram of an electronic device according to a preferred embodiment of the application for realizing a behavior detection method based on log data analysis.
  • the electronic device includes a processor 13 and a memory 12.
  • the processor 13 executes the operating system of the electronic device 1 and various installed applications.
  • the processor 13 executes the application program to implement the steps in the above embodiments of the behavior detection method based on log data analysis, such as steps S10, S11, S12, S13, S14, S15, S16, S17 shown in FIG. , S18, S19.
  • steps S10, S11, S12, S13, S14, S15, S16, S17 shown in FIG. , S18, S19 Alternatively, when the processor 13 executes the computer-readable instructions, the functions of the modules/units in the foregoing device embodiments are implemented.
  • the computer-readable instructions may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and executed by the processor 13 to Complete this application.
  • the one or more modules/units may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer-readable instructions in the electronic device 1.
  • the computer-readable instructions may be divided into units in FIG. 2.
  • the memory 12 may be used to store the computer-readable instructions and/or modules.
  • the processor 13 runs or executes the computer-readable instructions and/or modules stored in the memory 12 and calls the computer-readable instructions and/or modules stored in the memory 12
  • the data inside realizes various functions of the electronic device 1.
  • the memory 12 may mainly include a storage program area and a storage data area.
  • the storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Store data created based on the use of electronic devices.
  • the memory 12 may include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash memory card (Flash Card), At least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
  • non-volatile memory such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash memory card (Flash Card), At least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
  • the memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a circuit with a storage function that does not have a physical form in an integrated circuit, such as FIFO (First In First Out) and so on. Alternatively, the memory 12 may also be a memory in a physical form, such as a memory stick, a TF card (Trans-flash Card), and so on.
  • FIFO First In First Out
  • TF card Trans-flash Card
  • the integrated module/unit of the electronic device 1 is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a non-volatile computer readable storage medium.
  • this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through computer-readable instructions.
  • the computer-readable instructions may be stored in a non-volatile memory. In the storage medium, when the computer-readable instructions are executed by the processor, the steps of the foregoing method embodiments can be implemented.
  • the computer-readable instruction code may be in the form of source code, object code, executable file, or some intermediate form, etc.
  • the computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory).

Abstract

Provided are a log data analysis-based behavior detection method, apparatus, device, and medium. The method enables: obtaining first log data of each functional node of a person to be detected in a preset system; calculating a first access frequency of each functional node of the person to be detected, retrieving the target access frequency of each functional node, and performing a comparison; if the first access frequency of a functional node is greater than the target access frequency, then from the first log data, determining the sequence of access to the functional node by the person to be detected, establishing a first queue of the functional node, and splitting the first queue to obtain a first group; retrieving a preset benchmark group, and matching the first group with the reference group; if there is a group matching failure in said first group, then carrying out security protection, determining that the behavior of the person to be detected is abnormal, detecting abnormal behaviors more comprehensively and accurately, and alerting relevant personnel.

Description

基于日志数据分析的行为检测方法、装置、设备及介质Behavior detection method, device, equipment and medium based on log data analysis
本申请要求于2019年09月23日提交中国专利局,申请号为201910900782.7发明名称为“行为检测方法、装置、电子设备及存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of a Chinese patent application filed with the Chinese Patent Office on September 23, 2019. The application number is 201910900782.7. The title of the invention is "behavior detection methods, devices, electronic equipment and storage media". The entire content is incorporated by reference. In this application.
技术领域Technical field
本申请涉及安全防护技术领域,尤其涉及一种基于日志数据分析的行为检测方法、装置、设备及介质。This application relates to the technical field of security protection, and in particular to a behavior detection method, device, equipment, and medium based on log data analysis.
背景技术Background technique
在现有的技术方案中,通常采用孤立森林算法检测用户行为是否异常,然而,由于孤立森林算法对样本数量的要求极高,样本不易获取,同时,所述孤立森林算法只从访问次数上对用户行为进行检测,准确率较低。In the existing technical solutions, the isolated forest algorithm is usually used to detect whether the user behavior is abnormal. However, because the isolated forest algorithm has extremely high requirements on the number of samples, the samples are not easy to obtain. At the same time, the isolated forest algorithm only corrects the number of visits. User behavior detection is low accuracy.
发明内容Summary of the invention
鉴于以上内容,有必要提供一种基于日志数据分析的行为检测方法、装置、设备及介质,能够更加全面、准确地检测出异常行为,进而提醒相关人员,从而避免信息泄露。In view of the above, it is necessary to provide a behavior detection method, device, equipment, and medium based on log data analysis, which can detect abnormal behavior more comprehensively and accurately, and then alert relevant personnel to avoid information leakage.
一种基于日志数据分析的行为检测方法,所述方法包括:当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次;调取每个功能节点的目标访问频次;对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;基于所述访问顺序,建立所述功能节点的第一队列;拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;调取预先配置的基准组合;将所述第一组合与所述基准组合进行匹配;当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。A behavior detection method based on log data analysis. The method includes: when a behavior detection instruction is received, the first log data of each functional node of the person to be detected in a preset system is obtained through the burying technique; according to the First log data, calculate the first visit frequency of each functional node of the person to be tested; call the target visit frequency of each functional node; compare the first visit frequency of each functional node with the target of each functional node Access frequency; when the first access frequency of a functional node is greater than the target access frequency, determine the order of access to the functional node by the person to be detected from the first log data; establish the access sequence based on the access sequence The first queue of the functional node; split the first queue to obtain the first combination for the person to be tested to access the functional node; retrieve the pre-configured reference combination; combine the first combination with the The benchmark combination is matched; when there is a combination failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
一种基于日志数据分析的行为检测装置,所述装置包括:获取单元,用于当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;计算单元,用于根据所述第一日志数据,计算所述待检测人员对每个功能节点的 第一访问频次;调取单元,用于调取每个功能节点的目标访问频次;对比单元,用于对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;确定单元,用于当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;建立单元,用于基于所述访问顺序,建立所述功能节点的第一队列;拆分单元,用于拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;所述调取单元,还用于调取预先配置的基准组合;匹配单元,用于将所述第一组合与所述基准组合进行匹配;所述确定单元,还用于当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。A behavior detection device based on log data analysis, the device comprising: an acquisition unit, configured to obtain the first log of each functional node of a person to be detected in a preset system through a point-buried technique when a behavior detection instruction is received Data; a calculation unit, used to calculate the first access frequency of each functional node of the person to be tested according to the first log data; a retrieval unit, used to retrieve the target access frequency of each functional node; comparison Unit, used to compare the first access frequency of each functional node with the target access frequency of each functional node; determining unit, used to read from the first log when the first access frequency of the functional node is greater than the target access frequency The data determines the order in which the person to be tested visits the functional node; the establishment unit is configured to establish the first queue of the functional node based on the access order; the splitting unit is configured to split the first queue The queue is used to obtain the first combination of access to the functional node by the person to be tested; the call unit is also used to call a pre-configured reference combination; the matching unit is used to compare the first combination with the The reference combination performs matching; the determining unit is further configured to determine that the behavior of the person to be detected is abnormal when there is a combination matching failure in the first combination.
一种电子设备,所述电子设备包括:存储器,存储至少一个指令;及An electronic device, the electronic device comprising: a memory storing at least one instruction; and
处理器,执行所述存储器中存储的指令以实现所述基于日志数据分析的行为检测方法。The processor executes the instructions stored in the memory to implement the behavior detection method based on log data analysis.
一种非易失性可读存储介质,所述非易失性可读存储介质中存储有至少一个指令,所述至少一个指令被电子设备中的处理器执行以实现所述基于日志数据分析的行为检测方法。A non-volatile readable storage medium, the non-volatile readable storage medium stores at least one instruction, and the at least one instruction is executed by a processor in an electronic device to implement the log data analysis-based Behavior detection methods.
由以上技术方案可以看出,本申请能够更加全面、准确地检测出异常行为,进而提醒相关人员,从而避免信息泄露。It can be seen from the above technical solutions that this application can detect abnormal behaviors more comprehensively and accurately, and then remind relevant personnel to avoid information leakage.
附图说明Description of the drawings
图1是本申请基于日志数据分析的行为检测方法的较佳实施例的流程图。Fig. 1 is a flowchart of a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
图2是本申请基于日志数据分析的行为检测装置的较佳实施例的功能模块图。Fig. 2 is a functional module diagram of a preferred embodiment of a behavior detection device based on log data analysis according to the present application.
图3是本申请实现基于日志数据分析的行为检测方法的较佳实施例的电子设备的结构示意图。FIG. 3 is a schematic structural diagram of an electronic device implementing a preferred embodiment of a behavior detection method based on log data analysis according to the present application.
具体实施方式detailed description
如图1所示,是本申请基于日志数据分析的行为检测方法的较佳实施例的流程图。根据不同的需求,该流程图中步骤的顺序可以改变,某些步骤可以省略。As shown in FIG. 1, it is a flowchart of a preferred embodiment of the behavior detection method based on log data analysis of the present application. According to different needs, the order of the steps in the flowchart can be changed, and some steps can be omitted.
所述基于日志数据分析的行为检测方法应用于一个或者多个电子设备中,所述电子设备是一种能够按照事先设定或存储的指令,自动进行数值计算和/或信息处理的设备,其硬件包括但不限于微处理器、专用集成电路(Application Specific Integrated Circuit,ASIC)、可编程门阵列(Field-Programmable Gate Array,FPGA)、数字处理器(Digital Signal Processor,DSP)、嵌入式设备等。The behavior detection method based on log data analysis is applied to one or more electronic devices. The electronic device is a device that can automatically perform numerical calculation and/or information processing in accordance with pre-set or stored instructions. Hardware includes, but is not limited to, microprocessors, application specific integrated circuits (ASICs), programmable gate arrays (Field-Programmable Gate Array, FPGA), digital processors (Digital Signal Processor, DSP), embedded devices, etc. .
所述电子设备可以是任何一种可与用户进行人机交互的电子产品,例如,个人计算机、平板电脑、智能手机、个人数字助理(Personal Digital Assistant,PDA)、游戏机、交互式网络电视(Internet Protocol Television,IPTV)、智能式穿戴式设备等。The electronic device may be any electronic product that can perform human-computer interaction with the user, such as a personal computer, a tablet computer, a smart phone, a personal digital assistant (PDA), a game console, an interactive network television ( Internet Protocol Television, IPTV), smart wearable devices, etc.
所述电子设备还可以包括网络设备和/或用户设备。其中,所述网络设备包括,但不限于单个网络服务器、多个网络服务器组成的服务器组或基于云计算(Cloud Computing)的由大量主机或网络服务器构成的云。The electronic device may also include a network device and/or user equipment. Wherein, the network device includes, but is not limited to, a single network server, a server group composed of multiple network servers, or a cloud composed of a large number of hosts or network servers based on cloud computing.
所述电子设备所处的网络包括但不限于互联网、广域网、城域网、局域网、虚拟专用网络(Virtual Private Network,VPN)等。The network where the electronic device is located includes, but is not limited to, the Internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (Virtual Private Network, VPN), etc.
S10,当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据。S10: When a behavior detection instruction is received, the first log data of each functional node of the person to be detected in the preset system is obtained by using the point burying technique.
在本申请的至少一个实施例中,所述行为检测指令可以由用户触发,也可以在满足一定条件时自动触发,本申请不限制。In at least one embodiment of the present application, the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
其中,所述满足一定条件包括,但不限于:满足第一预设时间等。Wherein, the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
所述第一预设时间可以包括确定的时间点,或者包括一个时间段等,例如:所述第一预设时间可以是每天早上七点。The first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
在本申请的至少一个实施例中,所述预设系统是与所述待检测人员的工作内容相对应的业务系统。In at least one embodiment of the present application, the preset system is a business system corresponding to the work content of the person to be tested.
其中,所述业务系统的功能可以包括营销规划、销售、销售进程管理、客户服务管理、客户关系管理、风险防范等。The functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
所述第一日志数据是指记录所述待检测人员在所述预设系统中每个功能节点的一系列操作的数据,所述第一日志数据在处理历史数据等任务时具有重要作用。The first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
在本申请的至少一个实施例中,所述通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据包括:In at least one embodiment of the present application, the acquisition of the first log data of each functional node of the person to be detected in the preset system by using the point burying technology includes:
所述电子设备通过埋点技术获取所述待检测人员在每个功能节点上的访问行为,及获取所述访问行为发生的第一访问时间,进一步地,所述电子设备记录所述访问行为及所述第一访问时间,得到每个功能节点的第一日志数据。The electronic device obtains the access behavior of the person to be detected on each functional node and the first access time when the access behavior occurs through the embedded point technology. Further, the electronic device records the access behavior and The first access time obtains the first log data of each functional node.
其中,所述埋点技术是一种私有化部署数据的采集方式,可以理解为对数据打标跟踪、跟踪数据链路等。Among them, the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
例如:所述第一日志数据可以包括:待检测人员甲在10点访问功能节点A,在15点访问功能节点B,在18点访问功能节点C。For example, the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
通过上述实施方式,能够快速、准确地获取到所述第一日志数据,从而便于计算所 述待检测人员对每个功能节点的访问频次。Through the foregoing implementation manners, the first log data can be quickly and accurately obtained, thereby facilitating the calculation of the frequency of visits to each functional node by the person to be tested.
S11,根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次。S11: Calculate the first visit frequency of each functional node of the person to be inspected according to the first log data.
在本申请的至少一个实施例中,所述第一访问频次是指在单位时间内,所述待检测人员对功能节点的访问次数。In at least one embodiment of the present application, the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
其中,所述单位时间可以包括一个时间段等,例如:所述单位时间可以是1个小时,本申请不作限制。Wherein, the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
在本申请的至少一个实施例中,所述电子设备根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次包括:In at least one embodiment of the present application, the electronic device calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
所述电子设备确定访问每个功能节点时对应的访问标识,进一步地,所述电子设备采用非确定型有穷自动机(Non-determinism Finite Automate,NFA)匹配原理,从所述第一日志数据中识别出每个访问标识,并计算所述单位时间内每个访问标识的个数,得到所述待检测人员对每个功能节点的第一访问频次。The electronic device determines the corresponding access identifier when accessing each functional node. Further, the electronic device adopts the non-determinism Finite Automate (NFA) matching principle, from the first log data Each access identifier is identified in the, and the number of each access identifier in the unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
例如:所述电子设备获取所述功能节点A的访问标识为jiediana,进一步地,所述电子设备从所述第一日志数据中识别出1个小时内jiediana的个数为10个,因此,对所述功能节点A的第一访问频次为10次/小时。For example, the electronic device acquires the access identifier of the functional node A as jiediana, and further, the electronic device recognizes from the first log data that the number of jiediana in one hour is 10, therefore, The first access frequency of the functional node A is 10 times/hour.
通过上述实施方式,能够准确地计算出所述待检测人员对每个功能节点的访问频次。Through the foregoing implementation manners, the frequency of visits to each functional node of the person to be detected can be accurately calculated.
S12,调取每个功能节点的目标访问频次。S12. Invoke the target access frequency of each functional node.
在本申请的至少一个实施例中,所述目标访问频次是基于正态分布曲线的99.7法则而确定的。In at least one embodiment of the present application, the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
在本申请的至少一个实施例中,在调取每个功能节点的目标访问频次之前,所述方法还包括:In at least one embodiment of the present application, before calling the target access frequency of each functional node, the method further includes:
所述电子设备获取至少一个用户访问每个功能节点的频次,作为第二访问频次,对每个功能节点的第二访问频次进行正态分布处理,得到每个功能节点的正态分布曲线,从所述正态分布曲线中获取满足99.7法则的第三访问频次,将频次最高的第三访问频次确定为所述目标访问频次。The electronic device obtains the frequency of at least one user's access to each functional node as the second access frequency, and performs normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node, from The third access frequency satisfying the 99.7 rule is obtained from the normal distribution curve, and the third access frequency with the highest frequency is determined as the target access frequency.
例如:所述至少一个用户访问所述功能节点A的期望值为20次/小时,所述至少一个用户中有99.7%的用户访问所述功能节点A的第三访问频次为15次/小时至25次/小时,因此,所述电子设备将频次最高的第三访问频次25次/小时确认为所述功能节点A的目标访问频次。For example: the expected value for the at least one user to access the functional node A is 20 times/hour, and 99.7% of the at least one user visits the functional node A with a third visit frequency ranging from 15 times/hour to 25 Times/hour, therefore, the electronic device confirms the third most frequent visit frequency of 25 times/hour as the target visit frequency of the functional node A.
其中,所述至少一个用户包括,但不限于:对每个功能节点的访问频率较高的常规用户等。Wherein, the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
所述第二访问频次是所述至少一个用户访问每个功能节点的频次。The second access frequency is the frequency at which the at least one user accesses each functional node.
例如:用户丙访问所述功能节点A的频次为10次/小时,用户丁访问所述功能节点A的频次为8次/小时,因此用户丙访问所述功能节点A的第二访问频次为10次/小时,用户丁访问所述功能节点A的第二访问频次为8次/小时。For example, the frequency of user C's access to the functional node A is 10 times/hour, and the frequency of user D's access to the functional node A is 8 times/hour, so the second visit frequency of user C to the functional node A is 10 Times/hour, the second visit frequency of user D to the functional node A is 8 times/hour.
通过上述实施方式,基于99.7法则,能够得到常规用户对每个功能节点的访问频次,进一步确定每个功能节点的目标访问频次。Through the above implementation, based on the 99.7 rule, the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
S13,对比每个功能节点的第一访问频次与每个功能节点的目标访问频次。S13: Compare the first access frequency of each functional node with the target access frequency of each functional node.
在本申请的至少一个实施例中,在对比每个功能节点的第一访问频次与每个功能节点的目标访问频次之后,所述电子设备获取比较结果,所述比较结果可以包括以下任意一种:In at least one embodiment of the present application, after comparing the first access frequency of each functional node with the target access frequency of each functional node, the electronic device obtains a comparison result, and the comparison result may include any of the following :
(1)存在功能节点的第一访问频次大于目标访问频次。(1) The first access frequency of a functional node is greater than the target access frequency.
(2)每个功能节点的第一访问频次均小于目标访问频次。(2) The first access frequency of each functional node is less than the target access frequency.
例如:所述待检测人员甲访问所述功能节点A的第一访问频次为3次/小时,访问所述功能节点B的第一访问频次为100次/小时,访问所述功能节点C的第一访问频次为4次/小时,并且所述电子设备调取到的所述功能节点A的目标访问频次为8次/小时,访问所述功能节点B的目标访问频次为10次/小时,访问所述功能节点C的目标访问频次为12次/小时,所述电子设备对比每个功能节点的第一访问频次与每个功能节点的目标访问频次,得到所述比较结果为存在功能节点B的第一访问频次大于目标访问频次。For example: the first visit frequency of the person under test A to visit the functional node A is 3 times/hour, the first visit frequency to visit the functional node B is 100 times/hour, and the first visit frequency to visit the functional node C A visit frequency is 4 times/hour, and the target visit frequency of the functional node A called by the electronic device is 8 times/hour, and the target visit frequency to visit the function node B is 10 times/hour. The target access frequency of the functional node C is 12 times/hour, and the electronic device compares the first access frequency of each functional node with the target access frequency of each functional node, and obtains that the comparison result is that there is a functional node B The first visit frequency is greater than the target visit frequency.
通过上述实施方式,能够得到每个功能节点的第一访问频次与目标访问频次的比较结果,进而能够将所述比较结果作为行为检测的必备条件。Through the foregoing implementation manners, the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
S14,当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序。S14: When the first access frequency of the functional node is greater than the target access frequency, determine from the first log data the order in which the person to be detected visits the functional node.
在本申请的至少一个实施例中,所述访问顺序是指所述待检测人员访问所述功能节点的顺序。In at least one embodiment of the present application, the access sequence refers to the sequence in which the person to be detected accesses the functional node.
在本申请的至少一个实施例中,所述电子设备从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序包括:In at least one embodiment of the present application, the electronic device determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
所述电子设备采用机器学习方法从所述第一日志数据中提取所述功能节点的访问时间,按照所述访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序。The electronic device uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes according to the order of the access time to obtain the access sequence of the functional nodes.
例如:从所述第一日志数据中获取到所述功能节点A的访问时间为今天早上7点,所述功能节点B的访问时间为今天早上7点半,所述功能节点C的访问时间为今天早上 八点,进一步地,所述电子设备按照访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序为先访问所述功能节点A,然后访问所述功能节点B,最后访问所述功能节点C。For example: it is obtained from the first log data that the access time of the functional node A is 7 o'clock this morning, the access time of the functional node B is 7:30 this morning, and the access time of the functional node C is At 8 o’clock this morning, further, the electronic device sorts the function nodes according to the order of access time, and obtains that the order of access of the function nodes is first to visit the function node A, and then to the function node B , And finally visit the functional node C.
通过上述实施方式,能够准确地确定出所述待检测人员对所述功能节点的访问顺序,便于后续快速地建立第一队列,进而以所述访问顺序作为行为检测的条件。Through the foregoing implementation manners, it is possible to accurately determine the access sequence of the person to be tested to the functional nodes, which facilitates the subsequent rapid establishment of the first queue, and then uses the access sequence as a condition for behavior detection.
S15,基于所述访问顺序,建立所述功能节点的第一队列。S15: Establish a first queue of the functional node based on the access sequence.
在本申请的至少一个实施例中,所述第一队列是指由所述待检测人员对每个功能节点进行访问的先后顺序组成的队列。In at least one embodiment of the present application, the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
通过上述实施方式,能够基于所述访问顺序建立所述第一队列,为后续第一组合的形成提供基础条件。Through the foregoing implementation manners, the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
S16,拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合。S16: Split the first queue to obtain a first combination for the person to be tested to access the functional node.
在本申请的至少一个实施例中,所述第一组合是顺序拆分所述第一队列而得来的。In at least one embodiment of the present application, the first combination is obtained by sequentially splitting the first queue.
在本申请的至少一个实施例中,所述电子设备拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合包括:In at least one embodiment of the present application, the splitting of the first queue by the electronic device to obtain the first combination for the person to be inspected to access the functional node includes:
所述电子设备获取每个第一组合中的配置节点数,以所述配置节点数为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,得到所述待检测人员对所述功能节点进行访问的第一组合。The electronic device obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the to-be-detected The first combination of personnel visiting the functional node.
其中,所述配置节点数是根据所述待检测人员访问的功能节点的数量进行确定的,所述配置节点数可以是2个,也可以是3个,本申请不作限制。Wherein, the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
例如:所述第一队列为ABCDEF,若所述电子设备获取的配置节点数为2,以所述配置节点数2作为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,则拆分得来的第一组合包括AB、BC、CD、DE、EF,若所述电子设备获取的配置节点数为3,以所述配置节点数3作为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,则拆分得来的第一组合包括ABC、BCD、CDE、DEF。For example: the first queue is ABCDEF, and if the number of configuration nodes acquired by the electronic device is 2, the number of configuration nodes 2 is used as the number of nodes in each combination, and all the nodes in the first queue are sequentially split Functional node, the first combination obtained by splitting includes AB, BC, CD, DE, and EF. If the number of configuration nodes acquired by the electronic device is 3, the number of configuration nodes 3 is used as the number of nodes in each combination Count, split all the functional nodes in the first queue in turn, and the first combination obtained by splitting includes ABC, BCD, CDE, DEF.
通过上述实施方式,能够直接得到所述待检测人员的第一组合。Through the foregoing implementation manners, the first combination of the persons to be detected can be directly obtained.
S17,调取预先配置的基准组合。S17. Retrieve a pre-configured benchmark combination.
在本申请的至少一个实施例中,所述基准组合是以所述配置节点数为基础,从目标集合中调取出的节点个数为所述配置节点数的组合。In at least one embodiment of the present application, the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
在本申请的至少一个实施例中,在调取预先配置的基准组合之前,所述电子设备建立目标集合。In at least one embodiment of the present application, the electronic device establishes a target set before calling a pre-configured reference combination.
具体地,所述电子设备建立所述目标集合包括:Specifically, establishing the target set by the electronic device includes:
所述电子设备获取所述至少一个用户访问所述预设系统中每个功能节点的第二日志数据,从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列,进一步地,所述电子设备获取目标节点数,以所述目标节点数为每个组合的节点个数,依次拆分所述访问序列,得到所述至少一个用户对所述功能节点进行访问的第二组合,根据所述第二日志数据,计算所述第二组合中每个第二组合的第二访问频次,将所述第二组合按照所述第二访问频次从高到低进行排列,得到第二队列,对所述第二队列中配置位前的组合进行集成,得到所述目标集合。Acquiring, by the electronic device, second log data of the at least one user accessing each functional node in the preset system, and extracting the access sequence of the at least one user to the functional node from the second log data, Further, the electronic device obtains the number of target nodes, uses the number of target nodes as the number of nodes in each combination, and sequentially splits the access sequence to obtain the first access sequence of the at least one user to the functional node The second combination, according to the second log data, calculate the second access frequency of each second combination in the second combination, and arrange the second combination according to the second access frequency from high to low to obtain The second queue integrates the combinations before the configuration bits in the second queue to obtain the target set.
其中,所述目标节点数是根据所述预设系统的功能节点的数量确定的,所述目标节点数可以是2个,也可以是5个,本申请不作限制。Wherein, the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
所述配置位可以是50或者是100,本申请不作限制。The configuration position may be 50 or 100, which is not limited in this application.
通过上述实施方式,能够得到所述目标集合,便于所述电子设备按需调取所述基准组合。Through the foregoing implementation manners, the target set can be obtained, which is convenient for the electronic device to retrieve the reference combination as needed.
在本申请至少一个实施例中,所述电子设备从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列包括:In at least one embodiment of the present application, the electronic device extracting the access sequence of the at least one user to the functional node from the second log data includes:
所述电子设备从所述第二日志数据中获取所述至少一个用户访问每个功能节点的目标访问时间,进一步地,所述电子设备将所述功能节点按照所述目标访问时间进行排序,得到所述至少一个用户对所述功能节点的访问序列。The electronic device obtains the target access time for the at least one user to access each functional node from the second log data, and further, the electronic device sorts the functional nodes according to the target access time to obtain The access sequence of the at least one user to the functional node.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
每隔第二预设时间,所述电子设备更新所述第二日志数据,根据更新后的第二日志数据,更新所述基准组合。Every second preset time, the electronic device updates the second log data, and updates the reference combination according to the updated second log data.
其中,所述第二预设时间可以是一个时间段,本申请不作限制。Wherein, the second preset time may be a time period, which is not limited in this application.
S18,将所述第一组合与所述基准组合进行匹配。S18, matching the first combination with the reference combination.
在本申请的至少一个实施例中,在将所述第一组合与所述基准组合进行匹配之后,所述电子设备获取匹配结果,所述匹配结果可以包括以下任意一种:In at least one embodiment of the present application, after matching the first combination with the reference combination, the electronic device obtains a matching result, and the matching result may include any one of the following:
(1)所述第一组合均在所述基准组合中匹配成功。(1) The first combination is successfully matched in the reference combination.
(2)所述第一组合中存在组合与所述基准组合匹配失败。(2) There is a combination in the first combination that fails to match the reference combination.
例如:所述第一组合为AD、BC、CD、DE、EF,所述基准组合为AB、BC、CD、DE、EF。所述第一组合中存在AD与所述基准组合匹配失败。For example: the first combination is AD, BC, CD, DE, EF, and the reference combination is AB, BC, CD, DE, EF. In the first combination, there is a failure to match AD with the reference combination.
在本申请的至少一个实施例中,所述方法还包括:In at least one embodiment of the present application, the method further includes:
若所述第一组合均在所述基准组合中匹配成功,所述电子设备获取所述第一访问频次大于所述目标访问频次的第一功能节点,判断所述第一功能节点是否属于目标功能节 点,其中,所述目标功能节点对应的数据中含有保密信息,当所述第一功能节点属于所述目标功能节点时,确定所述待检测人员的行为异常。If the first combination is successfully matched in the reference combination, the electronic device obtains the first functional node with the first access frequency greater than the target access frequency, and determines whether the first functional node belongs to the target function Node, wherein the data corresponding to the target function node contains confidential information, and when the first function node belongs to the target function node, it is determined that the behavior of the person to be detected is abnormal.
通过上述实施方式,当所述待检测人员对所述目标功能节点的第一访问频次大于所述目标访问频次时,确定所述待检测人员的行为异常,从而能够采取一定的措施防止保密信息的泄露。Through the foregoing implementation manners, when the first access frequency of the target functional node by the person to be detected is greater than the target access frequency, it is determined that the behavior of the person to be detected is abnormal, so that certain measures can be taken to prevent the confidentiality of the information. Give way.
S19,当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。S19: When there is a combination matching failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,所述方法还包括:In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, the method further includes:
当确定所述待检测人员的行为异常后,所述电子设备控制所述待检测人员对所述预设系统的访问权限。When it is determined that the behavior of the person to be detected is abnormal, the electronic device controls the access authority of the person to be detected to the preset system.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,所述方法还包括:In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, the method further includes:
所述电子设备从监控设备中获取所述待检测人员的第一人脸信息,进一步地,所述电子设备从所述第一日志数据中提取登入所述预设系统的目标账号,并从配置库中调取所述目标账号对应的目标人脸信息,采用人脸识别技术判断所述第一人脸信息与所述目标人脸信息是否匹配,当所述第一人脸信息与所述目标人脸信息匹配失败时,控制所述待检测人员对所述目标人脸信息对应的终端设备的访问权限。The electronic device obtains the first face information of the person to be detected from the monitoring device. Further, the electronic device extracts the target account for logging in to the preset system from the first log data, and obtains it from the configuration The target face information corresponding to the target account is retrieved from the database, and face recognition technology is used to determine whether the first face information matches the target face information. When the first face information matches the target face information, When the facial information matching fails, the access authority of the person to be detected to the terminal device corresponding to the target facial information is controlled.
其中,所述监控设备是由摄像部分、传输部分、控制部分及显示部分四个部分组成。Wherein, the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
所述配置库中包括所述至少一个用户的目标人脸信息。The configuration library includes target face information of the at least one user.
通过上述实施方式,能够防止有人假借他人的名义进行异常操作。Through the above-mentioned embodiments, it is possible to prevent someone from performing abnormal operations under the guise of others.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,所述方法还包括:In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, the method further includes:
当确定所述待检测人员的行为异常后,所述电子设备生成警报信息,将所述警报信息发送到指定联系人的配置设备。When it is determined that the behavior of the person to be detected is abnormal, the electronic device generates alarm information, and sends the alarm information to the configuration device of the designated contact.
其中,所述警报信息可以包括所述待检测人员的姓名及身份证、发生行为异常的时间等。Wherein, the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
进一步地,所述指定联系人可以包括触发行为检测指令的用户等。Further, the designated contact person may include a user who triggers a behavior detection instruction, and the like.
通过上述实施方式,当确定所述待检测人员的行为异常后,能够及时发出警报并提醒,有利于指定联系人及时做出相应的措施,进而避免造成损失。Through the foregoing implementation manners, when it is determined that the behavior of the person to be detected is abnormal, an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
由以上技术方案可以看出,本申请能够当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据,根据所述第一日志数据,计 算所述待检测人员对每个功能节点的第一访问频次,调取每个功能节点的目标访问频次,对比每个功能节点的第一访问频次与每个功能节点的目标访问频次,当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序,基于所述访问顺序,建立所述功能节点的第一队列,拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合,调取预先配置的基准组合,将所述第一组合与所述基准组合进行匹配,当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常,通过结合所述功能节点的访问频次及访问顺序,能够更加全面、准确地检测出异常行为,进而提醒相关人员,从而避免信息泄露。It can be seen from the above technical solutions that this application can obtain the first log data of each functional node of the person to be detected in the preset system through the burying technique when the behavior detection instruction is received, and according to the first log data, Calculate the first visit frequency of each functional node of the person to be tested, call the target visit frequency of each functional node, compare the first visit frequency of each functional node with the target visit frequency of each functional node, when there is When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data, and establish the first access sequence of the functional node based on the access sequence. Queue, split the first queue, obtain the first combination for the person to be tested to access the functional node, call a pre-configured benchmark combination, and match the first combination with the benchmark combination, When there is a combination matching failure in the first combination, it is determined that the behavior of the person to be detected is abnormal, and the abnormal behavior can be detected more comprehensively and accurately by combining the access frequency and sequence of the functional nodes, and then remind Relevant personnel, thereby avoiding information leakage.
如图2所示,是本申请基于日志数据分析的行为检测装置的较佳实施例的功能模块图。所述基于日志数据分析的行为检测装置11包括获取单元110、计算单元111、调取单元112、对比单元113、确定单元114、建立单元115、拆分单元116、匹配单元117、处理单元118、提取单元119、排列单元120、集成单元121、判断单元122、控制单元123、更新单元124、生成单元125以及发送单元126。本申请所称的模块/单元是指一种能够被处理器13所执行,并且能够完成固定功能的一系列计算机可读指令段,其存储在存储器12中。As shown in FIG. 2, it is a functional module diagram of a preferred embodiment of a behavior detection device based on log data analysis in this application. The behavior detection device 11 based on log data analysis includes an acquisition unit 110, a calculation unit 111, an retrieval unit 112, a comparison unit 113, a determination unit 114, an establishment unit 115, a split unit 116, a matching unit 117, a processing unit 118, The extraction unit 119, the arrangement unit 120, the integration unit 121, the judgment unit 122, the control unit 123, the update unit 124, the generation unit 125, and the transmission unit 126. The module/unit referred to in this application refers to a series of computer-readable instruction segments that can be executed by the processor 13 and can complete fixed functions, and are stored in the memory 12.
当接收到行为检测指令时,获取单元110通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据。When the behavior detection instruction is received, the acquiring unit 110 acquires the first log data of each functional node of the person to be detected in the preset system by using the point burying technique.
在本申请的至少一个实施例中,所述行为检测指令可以由用户触发,也可以在满足一定条件时自动触发,本申请不限制。In at least one embodiment of the present application, the behavior detection instruction can be triggered by the user, or can be triggered automatically when certain conditions are met, which is not limited by this application.
其中,所述满足一定条件包括,但不限于:满足第一预设时间等。Wherein, the meeting certain conditions includes, but is not limited to: meeting the first preset time, etc.
所述第一预设时间可以包括确定的时间点,或者包括一个时间段等,例如:所述第一预设时间可以是每天早上七点。The first preset time may include a determined time point, or include a time period, etc., for example: the first preset time may be 7 o'clock in the morning every day.
在本申请的至少一个实施例中,所述预设系统是与所述待检测人员的工作内容相对应的业务系统。In at least one embodiment of the present application, the preset system is a business system corresponding to the work content of the person to be tested.
其中,所述业务系统的功能可以包括营销规划、销售、销售进程管理、客户服务管理、客户关系管理、风险防范等。The functions of the business system may include marketing planning, sales, sales process management, customer service management, customer relationship management, risk prevention, etc.
所述第一日志数据是指记录所述待检测人员在所述预设系统中每个功能节点的一系列操作的数据,所述第一日志数据在处理历史数据等任务时具有重要作用。The first log data refers to data that records a series of operations of the person to be tested on each functional node in the preset system, and the first log data plays an important role in processing tasks such as historical data.
在本申请的至少一个实施例中,所述获取单元110通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据包括:In at least one embodiment of the present application, that the acquiring unit 110 acquires the first log data of each functional node of the person to be tested in the preset system by using the point-buried technology includes:
所述获取单元110通过埋点技术获取所述待检测人员在每个功能节点上的访问行为, 及获取所述访问行为发生的第一访问时间,进一步地,所述获取单元110记录所述访问行为及所述第一访问时间,得到每个功能节点的第一日志数据。The acquisition unit 110 acquires the access behavior of the person to be detected on each functional node and acquires the first access time when the access behavior occurs through the burying technique. Further, the acquisition unit 110 records the access The behavior and the first access time are used to obtain the first log data of each functional node.
其中,所述埋点技术是一种私有化部署数据的采集方式,可以理解为对数据打标跟踪、跟踪数据链路等。Among them, the burying technology is a way of collecting data for privatized deployment, which can be understood as marking and tracking data, tracking data links, and so on.
例如:所述第一日志数据可以包括:待检测人员甲在10点访问功能节点A,在15点访问功能节点B,在18点访问功能节点C。For example, the first log data may include: Person A to be detected visits functional node A at 10 o'clock, functional node B at 15:00, and functional node C at 18:00.
通过上述实施方式,能够快速、准确地获取到所述第一日志数据,从而便于计算所述待检测人员对每个功能节点的访问频次。Through the foregoing implementation manners, the first log data can be quickly and accurately obtained, thereby facilitating calculation of the frequency of visits to each functional node by the person to be tested.
根据所述第一日志数据,计算单元111计算所述待检测人员对每个功能节点的第一访问频次。According to the first log data, the calculation unit 111 calculates the first visit frequency of each functional node of the person to be inspected.
在本申请的至少一个实施例中,所述第一访问频次是指在单位时间内,所述待检测人员对功能节点的访问次数。In at least one embodiment of the present application, the first visit frequency refers to the number of visits to the functional node by the person to be inspected within a unit time.
其中,所述单位时间可以包括一个时间段等,例如:所述单位时间可以是1个小时,本申请不作限制。Wherein, the unit time may include a time period, etc., for example: the unit time may be 1 hour, which is not limited in this application.
在本申请的至少一个实施例中,所述计算单元111根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次包括:In at least one embodiment of the present application, the calculation unit 111 calculating the first access frequency of each functional node of the person to be inspected according to the first log data includes:
所述计算单元111确定访问每个功能节点时对应的访问标识,进一步地,所述计算单元111采用非确定型有穷自动机(Non-determinism Finite Automate,NFA)匹配原理,从所述第一日志数据中识别出每个访问标识,并计算所述单位时间内每个访问标识的个数,得到所述待检测人员对每个功能节点的第一访问频次。The calculation unit 111 determines the corresponding access identifier when accessing each functional node. Further, the calculation unit 111 adopts the non-determinism Finite Automate (NFA) matching principle, from the first Each access identifier is identified in the log data, and the number of each access identifier per unit time is calculated to obtain the first access frequency of each functional node by the person to be tested.
例如:所述计算单元111获取所述功能节点A的访问标识为jiediana,进一步地,所述计算单元111从所述第一日志数据中识别出1个小时内jiediana的个数为10个,因此,对所述功能节点A的第一访问频次为10次/小时。For example, the computing unit 111 acquires the access identifier of the functional node A as jiediana, and further, the computing unit 111 recognizes from the first log data that the number of jiediana in one hour is 10, so , The first access frequency to the functional node A is 10 times/hour.
通过上述实施方式,能够准确地计算出所述待检测人员对每个功能节点的访问频次。Through the foregoing implementation manners, the frequency of visits to each functional node of the person to be detected can be accurately calculated.
调取单元112调取每个功能节点的目标访问频次。The retrieval unit 112 retrieves the target access frequency of each functional node.
在本申请的至少一个实施例中,所述目标访问频次是基于正态分布曲线的99.7法则而确定的。In at least one embodiment of the present application, the target access frequency is determined based on the 99.7 rule of the normal distribution curve.
在本申请的至少一个实施例中,在调取每个功能节点的目标访问频次之前,In at least one embodiment of the present application, before calling the target access frequency of each functional node,
所述获取单元110获取至少一个用户访问每个功能节点的频次,作为第二访问频次,进一步地,处理单元118对每个功能节点的第二访问频次进行正态分布处理,得到每个功能节点的正态分布曲线,更进一步地,所述获取单元110从所述正态分布曲线中获取 满足99.7法则的第三访问频次,确定单元114将频次最高的第三访问频次确定为所述目标访问频次。The acquiring unit 110 acquires the frequency of at least one user's access to each functional node as the second access frequency. Further, the processing unit 118 performs normal distribution processing on the second access frequency of each functional node to obtain each functional node Further, the obtaining unit 110 obtains a third access frequency satisfying the 99.7 rule from the normal distribution curve, and the determining unit 114 determines the third access frequency with the highest frequency as the target access frequency.
例如:所述至少一个用户访问所述功能节点A的期望值为20次/小时,所述至少一个用户中有99.7%的用户访问所述功能节点A的第三访问频次为15次/小时至25次/小时,因此,所述确定单元114将频次最高的第三访问频次25次/小时确认为所述功能节点A的目标访问频次。For example: the expected value for the at least one user to access the functional node A is 20 times/hour, and 99.7% of the at least one user visits the functional node A with a third visit frequency ranging from 15 times/hour to 25 Times/hour, therefore, the determining unit 114 confirms the third visit frequency with the highest frequency of 25 times/hour as the target visit frequency of the functional node A.
其中,所述至少一个用户包括,但不限于:对每个功能节点的访问频率较高的常规用户等。Wherein, the at least one user includes, but is not limited to: regular users with high frequency of access to each functional node, etc.
所述第二访问频次是所述至少一个用户访问每个功能节点的频次。The second access frequency is the frequency at which the at least one user accesses each functional node.
例如:用户丙访问所述功能节点A的频次为10次/小时,用户丁访问所述功能节点A的频次为8次/小时,因此用户丙访问所述功能节点A的第二访问频次为10次/小时,用户丁访问所述功能节点A的第二访问频次为8次/小时。For example, the frequency of user C's access to the functional node A is 10 times/hour, and the frequency of user D's access to the functional node A is 8 times/hour, so the second visit frequency of user C to the functional node A is 10 Times/hour, the second visit frequency of user D to the functional node A is 8 times/hour.
通过上述实施方式,基于99.7法则,能够得到常规用户对每个功能节点的访问频次,进一步确定每个功能节点的目标访问频次。Through the above implementation, based on the 99.7 rule, the frequency of regular users' access to each functional node can be obtained, and the target access frequency of each functional node can be further determined.
对比单元113对比每个功能节点的第一访问频次与每个功能节点的目标访问频次。The comparison unit 113 compares the first access frequency of each functional node with the target access frequency of each functional node.
在本申请的至少一个实施例中,在对比每个功能节点的第一访问频次与每个功能节点的目标访问频次之后,所述获取单元110获取比较结果,所述比较结果可以包括以下任意一种:In at least one embodiment of the present application, after comparing the first access frequency of each functional node with the target access frequency of each functional node, the obtaining unit 110 obtains a comparison result, and the comparison result may include any one of the following Species:
(1)存在功能节点的第一访问频次大于目标访问频次。(1) The first access frequency of a functional node is greater than the target access frequency.
(2)每个功能节点的第一访问频次均小于目标访问频次。(2) The first access frequency of each functional node is less than the target access frequency.
例如:所述待检测人员甲访问所述功能节点A的第一访问频次为3次/小时,访问所述功能节点B的第一访问频次为100次/小时,访问所述功能节点C的第一访问频次为4次/小时,并且调取到的所述功能节点A的目标访问频次为8次/小时,访问所述功能节点B的目标访问频次为10次/小时,访问所述功能节点C的目标访问频次为12次/小时,所述对比单元113对比每个功能节点的第一访问频次与每个功能节点的目标访问频次,得到所述比较结果为存在功能节点B的第一访问频次大于目标访问频次。For example, the first visit frequency of the person under test A to the functional node A is 3 times/hour, the first visit frequency of the functional node B is 100 times/hour, and the first visit frequency of the functional node C is 100 times/hour. A visit frequency is 4 times/hour, and the retrieved target visit frequency of the function node A is 8 times/hour, and the target visit frequency to visit the function node B is 10 times/hour, visit the function node The target visit frequency of C is 12 times/hour, and the comparison unit 113 compares the first visit frequency of each functional node with the target visit frequency of each functional node, and the comparison result is that there is the first visit of functional node B The frequency is greater than the target visit frequency.
通过上述实施方式,能够得到每个功能节点的第一访问频次与目标访问频次的比较结果,进而能够将所述比较结果作为行为检测的必备条件。Through the foregoing implementation manners, the comparison result of the first access frequency and the target access frequency of each functional node can be obtained, and the comparison result can be used as a necessary condition for behavior detection.
当有功能节点的第一访问频次大于目标访问频次时,所述确定单元114从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序。When the first access frequency of the functional node is greater than the target access frequency, the determining unit 114 determines the order in which the person to be detected visits the functional node from the first log data.
在本申请的至少一个实施例中,所述访问顺序是指所述待检测人员访问所述功能节 点的顺序。In at least one embodiment of the present application, the access sequence refers to the sequence in which the person to be detected accesses the functional node.
在本申请的至少一个实施例中,所述确定单元114从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序包括:In at least one embodiment of the present application, the determining unit 114 determining, from the first log data, the access sequence of the person to be detected to the functional node includes:
所述确定单元114采用机器学习方法从所述第一日志数据中提取所述功能节点的访问时间,按照所述访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序。The determining unit 114 uses a machine learning method to extract the access time of the functional nodes from the first log data, and sorts the functional nodes in the order of the access time to obtain the access sequence of the functional nodes .
例如:从所述第一日志数据中获取到所述功能节点A的访问时间为今天早上7点,所述功能节点B的访问时间为今天早上7点半,所述功能节点C的访问时间为今天早上八点,进一步地,按照访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序为先访问所述功能节点A,然后访问所述功能节点B,最后访问所述功能节点C。For example: it is obtained from the first log data that the access time of the functional node A is 7 o'clock this morning, the access time of the functional node B is 7:30 this morning, and the access time of the functional node C is At 8 o’clock this morning, further, the function nodes are sorted according to the order of access time, and the access order of the function nodes is obtained by first visiting the function node A, then visiting the function node B, and finally visiting all the function nodes. The function node C.
通过上述实施方式,能够准确地确定出所述待检测人员对所述功能节点的访问顺序,便于后续快速地建立第一队列,进而以所述访问顺序作为行为检测的条件。Through the foregoing implementation manners, it is possible to accurately determine the access sequence of the person to be tested to the functional nodes, which facilitates the subsequent rapid establishment of the first queue, and then uses the access sequence as a condition for behavior detection.
基于所述访问顺序,建立单元115建立所述功能节点的第一队列。Based on the access sequence, the establishment unit 115 establishes the first queue of the functional node.
在本申请的至少一个实施例中,所述第一队列是指由所述待检测人员对每个功能节点进行访问的先后顺序组成的队列。In at least one embodiment of the present application, the first queue refers to a queue formed by the sequence in which the person to be tested visits each functional node.
通过上述实施方式,能够基于所述访问顺序建立所述第一队列,为后续第一组合的形成提供基础条件。Through the foregoing implementation manners, the first queue can be established based on the access sequence, providing basic conditions for subsequent formation of the first combination.
拆分单元116拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合。The splitting unit 116 splits the first queue to obtain the first combination for the person to be tested to access the functional node.
在本申请的至少一个实施例中,所述第一组合是顺序拆分所述第一队列而得来的。In at least one embodiment of the present application, the first combination is obtained by sequentially splitting the first queue.
在本申请的至少一个实施例中,所述拆分单元116拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合包括:In at least one embodiment of the present application, the splitting unit 116 splits the first queue, and obtains the first combination for the person to be tested to access the functional node, including:
所述拆分单元116获取每个第一组合中的配置节点数,以所述配置节点数为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,得到所述待检测人员对所述功能节点进行访问的第一组合。The splitting unit 116 obtains the number of configuration nodes in each first combination, uses the number of configuration nodes as the number of nodes in each combination, and sequentially splits all functional nodes in the first queue to obtain the The first combination for the person to be tested to visit the functional node.
其中,所述配置节点数是根据所述待检测人员访问的功能节点的数量进行确定的,所述配置节点数可以是2个,也可以是3个,本申请不作限制。Wherein, the number of configuration nodes is determined according to the number of functional nodes visited by the person to be tested, and the number of configuration nodes may be two or three, which is not limited in this application.
例如:所述第一队列为ABCDEF,若所述拆分单元116获取的配置节点数为2,以所述配置节点数2作为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,则拆分得来的第一组合包括AB、BC、CD、DE、EF,若所述拆分单元116获取的配置节 点数为3,以所述配置节点数3作为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,则拆分得来的第一组合包括ABC、BCD、CDE、DEF。For example: the first queue is ABCDEF, and if the number of configuration nodes acquired by the splitting unit 116 is 2, the number of configuration nodes 2 is used as the number of nodes in each combination, and the first queue is sequentially split The first combination obtained by splitting includes AB, BC, CD, DE, and EF. If the number of configuration nodes acquired by the splitting unit 116 is 3, the number of configuration nodes 3 is used as each The number of combined nodes is divided into all functional nodes in the first queue in turn, and the first combination obtained by the division includes ABC, BCD, CDE, and DEF.
通过上述实施方式,能够直接得到所述待检测人员的第一组合。Through the foregoing implementation manners, the first combination of the persons to be detected can be directly obtained.
所述调取单元112调取预先配置的基准组合。The retrieval unit 112 retrieves a pre-configured reference combination.
在本申请的至少一个实施例中,所述基准组合是以所述配置节点数为基础,从目标集合中调取出的节点个数为所述配置节点数的组合。In at least one embodiment of the present application, the reference combination is based on the number of configuration nodes, and the number of nodes retrieved from the target set is a combination of the number of configuration nodes.
在本申请的至少一个实施例中,在调取预先配置的基准组合之前,建立目标集合。In at least one embodiment of the present application, the target set is established before the pre-configured benchmark combination is retrieved.
具体地,建立所述目标集合包括:Specifically, establishing the target set includes:
所述获取单元110获取所述至少一个用户访问所述预设系统中每个功能节点的第二日志数据,提取单元119从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列,进一步地,所述获取单元110获取目标节点数,所述拆分单元116以所述目标节点数为每个组合的节点个数,依次拆分所述访问序列,得到所述至少一个用户对所述功能节点进行访问的第二组合,根据所述第二日志数据,所述计算单元111计算所述第二组合中每个第二组合的第二访问频次,排列单元120将所述第二组合按照所述第二访问频次从高到低进行排列,得到第二队列,集成单元121对所述第二队列中配置位前的组合进行集成,得到所述目标集合。The acquiring unit 110 acquires the second log data of the at least one user's access to each functional node in the preset system, and the extracting unit 119 extracts the at least one user's response to the functional node from the second log data. Further, the acquiring unit 110 acquires the number of target nodes, and the splitting unit 116 uses the number of target nodes as the number of nodes in each combination to sequentially split the access sequence to obtain the at least According to the second log data, the calculation unit 111 calculates the second access frequency of each second combination in the second combination, and the arrangement unit 120 calculates the second combination of access to the functional node by a user. The second combination is arranged according to the second access frequency from high to low to obtain a second queue, and the integration unit 121 integrates the combinations before the positions in the second queue to obtain the target set.
其中,所述目标节点数是根据所述预设系统的功能节点的数量确定的,所述目标节点数可以是2个,也可以是5个,本申请不作限制。Wherein, the number of target nodes is determined according to the number of functional nodes of the preset system, and the number of target nodes may be two or five, which is not limited in this application.
所述配置位可以是50或者是100,本申请不作限制。The configuration position may be 50 or 100, which is not limited in this application.
通过上述实施方式,能够得到所述目标集合,便于所述调取单元112按需调取所述基准组合。Through the foregoing implementation manners, the target set can be obtained, so that the retrieval unit 112 can retrieve the reference combination as needed.
在本申请至少一个实施例中,所述建立单元115从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列包括:In at least one embodiment of the present application, the establishment unit 115 extracting the access sequence of the at least one user to the functional node from the second log data includes:
所述建立单元115从所述第二日志数据中获取所述至少一个用户访问每个功能节点的目标访问时间,进一步地,所述建立单元115将所述功能节点按照所述目标访问时间进行排序,得到所述至少一个用户对所述功能节点的访问序列。The establishing unit 115 obtains the target access time of the at least one user to each functional node from the second log data, and further, the establishing unit 115 sorts the functional nodes according to the target access time To obtain the access sequence of the at least one user to the functional node.
在本申请的至少一个实施例中,每隔第二预设时间,更新单元124更新所述第二日志数据,根据更新后的第二日志数据,所述更新单元124更新所述基准组合。In at least one embodiment of the present application, the update unit 124 updates the second log data every second preset time, and the update unit 124 updates the reference combination according to the updated second log data.
其中,所述第二预设时间可以是一个时间段,本申请不作限制。Wherein, the second preset time may be a time period, which is not limited in this application.
匹配单元117将所述第一组合与所述基准组合进行匹配。The matching unit 117 matches the first combination with the reference combination.
在本申请的至少一个实施例中,在将所述第一组合与所述基准组合进行匹配之后, 所述获取单元110获取匹配结果,所述匹配结果可以包括以下任意一种:In at least one embodiment of the present application, after matching the first combination with the reference combination, the obtaining unit 110 obtains a matching result, and the matching result may include any one of the following:
(1)所述第一组合均在所述基准组合中匹配成功。(1) The first combination is successfully matched in the reference combination.
(2)所述第一组合中存在组合与所述基准组合匹配失败。(2) There is a combination in the first combination that fails to match the reference combination.
例如:所述第一组合为AD、BC、CD、DE、EF,所述基准组合为AB、BC、CD、DE、EF。所述第一组合中存在AD与所述基准组合匹配失败。For example: the first combination is AD, BC, CD, DE, EF, and the reference combination is AB, BC, CD, DE, EF. In the first combination, there is a failure to match AD with the reference combination.
在本申请的至少一个实施例中,若所述第一组合均在所述基准组合中匹配成功,所述获取单元110获取所述第一访问频次大于所述目标访问频次的第一功能节点,判断单元122判断所述第一功能节点是否属于目标功能节点,其中,所述目标功能节点对应的数据中含有保密信息,当所述第一功能节点属于所述目标功能节点时,所述确定单元114确定所述待检测人员的行为异常。In at least one embodiment of the present application, if the first combination is successfully matched in the reference combination, the acquiring unit 110 acquires the first functional node whose first access frequency is greater than the target access frequency, The judging unit 122 judges whether the first functional node belongs to the target functional node, wherein the data corresponding to the target functional node contains confidential information, and when the first functional node belongs to the target functional node, the determining unit 114 It is determined that the behavior of the person to be detected is abnormal.
通过上述实施方式,当所述待检测人员对所述目标功能节点的第一访问频次大于所述目标访问频次时,确定所述待检测人员的行为异常,从而能够采取一定的措施防止保密信息的泄露。Through the foregoing implementation manners, when the first access frequency of the target functional node by the person to be detected is greater than the target access frequency, it is determined that the behavior of the person to be detected is abnormal, so that certain measures can be taken to prevent the confidentiality of the information. Give way.
当在所述第一组合中有组合匹配失败时,所述确定单元114确定所述待检测人员的行为异常。When there is a combination matching failure in the first combination, the determining unit 114 determines that the behavior of the person to be detected is abnormal.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,当确定所述待检测人员的行为异常后,控制单元123控制所述待检测人员对所述预设系统的访问权限。In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, when the behavior of the person to be detected is determined to be abnormal, the control unit 123 controls the behavior of the person to be detected on the preset system access permission.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,所述获取单元110从监控设备中获取所述待检测人员的第一人脸信息,进一步地,所述提取单元119从所述第一日志数据中提取登入所述预设系统的目标账号,所述调取单元112从配置库中调取所述目标账号对应的目标人脸信息,所述判断单元122采用人脸识别技术判断所述第一人脸信息与所述目标人脸信息是否匹配,当所述第一人脸信息与所述目标人脸信息匹配失败时,所述控制单元123控制所述待检测人员对所述目标人脸信息对应的终端设备的访问权限。In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, the acquiring unit 110 acquires the first face information of the person to be detected from the monitoring device, and further, the extraction The unit 119 extracts the target account that logs in to the preset system from the first log data, the retrieval unit 112 retrieves the target face information corresponding to the target account from the configuration library, and the judgment unit 122 uses The face recognition technology determines whether the first face information matches the target face information, and when the first face information matches the target face information, the control unit 123 controls the waiting Detecting personnel's access authority to the terminal device corresponding to the target face information.
其中,所述监控设备是由摄像部分、传输部分、控制部分及显示部分四个部分组成。Wherein, the monitoring equipment is composed of four parts: a camera part, a transmission part, a control part and a display part.
所述配置库中包括所述至少一个用户的目标人脸信息。The configuration library includes target face information of the at least one user.
通过上述实施方式,能够防止有人假借他人的名义进行异常操作。Through the above-mentioned embodiments, it is possible to prevent someone from performing abnormal operations under the guise of others.
在本申请的至少一个实施例中,在确定所述待检测人员的行为异常后,当确定所述待检测人员的行为异常后,生成单元125生成警报信息,进一步地,发送单元126将所述警报信息发送到指定联系人的配置设备。In at least one embodiment of the present application, after determining that the behavior of the person to be detected is abnormal, when it is determined that the behavior of the person to be detected is abnormal, the generating unit 125 generates alarm information, and further, the sending unit 126 transmits the The alert information is sent to the configuration device of the designated contact.
其中,所述警报信息可以包括所述待检测人员的姓名及身份证、发生行为异常的时间等。Wherein, the alarm information may include the name and ID of the person to be detected, the time when the abnormal behavior occurs, and the like.
进一步地,所述指定联系人可以包括触发行为检测指令的用户等。Further, the designated contact person may include a user who triggers a behavior detection instruction, and the like.
通过上述实施方式,当确定所述待检测人员的行为异常后,能够及时发出警报并提醒,有利于指定联系人及时做出相应的措施,进而避免造成损失。Through the foregoing implementation manners, when it is determined that the behavior of the person to be detected is abnormal, an alarm and reminder can be issued in time, which is beneficial to the designated contact person to take corresponding measures in time, thereby avoiding loss.
由以上技术方案可以看出,本申请通过结合所述功能节点的访问频次及访问顺序,能够更加全面、准确地检测出异常行为,进而提醒相关人员,从而避免信息泄露。It can be seen from the above technical solutions that the present application can detect abnormal behaviors more comprehensively and accurately by combining the access frequency and access sequence of the functional nodes, and then alert relevant personnel to avoid information leakage.
如图3所示,是本申请实现基于日志数据分析的行为检测方法的较佳实施例的电子设备的结构示意图。As shown in FIG. 3, it is a schematic structural diagram of an electronic device according to a preferred embodiment of the application for realizing a behavior detection method based on log data analysis.
所述电子设备包括处理器13及存储器12。所述处理器13执行所述电子设备1的操作系统以及安装的各类应用程序。所述处理器13执行所述应用程序以实现上述各个基于日志数据分析的行为检测方法实施例中的步骤,例如图1所示的步骤S10、S11、S12、S13、S14、S15、S16、S17、S18、S19。或者,所述处理器13执行所述计算机可读指令时实现上述各装置实施例中各模块/单元的功能。The electronic device includes a processor 13 and a memory 12. The processor 13 executes the operating system of the electronic device 1 and various installed applications. The processor 13 executes the application program to implement the steps in the above embodiments of the behavior detection method based on log data analysis, such as steps S10, S11, S12, S13, S14, S15, S16, S17 shown in FIG. , S18, S19. Alternatively, when the processor 13 executes the computer-readable instructions, the functions of the modules/units in the foregoing device embodiments are implemented.
示例性的,所述计算机可读指令可以被分割成一个或多个模块/单元,所述一个或者多个模块/单元被存储在所述存储器12中,并由所述处理器13执行,以完成本申请。所述一个或多个模块/单元可以是能够完成特定功能的一系列计算机可读指令段,该指令段用于描述所述计算机可读指令在所述电子设备1中的执行过程。例如,所述计算机可读指令可以被分割成图2中的各个单元。Exemplarily, the computer-readable instructions may be divided into one or more modules/units, and the one or more modules/units are stored in the memory 12 and executed by the processor 13 to Complete this application. The one or more modules/units may be a series of computer-readable instruction segments capable of completing specific functions, and the instruction segments are used to describe the execution process of the computer-readable instructions in the electronic device 1. For example, the computer-readable instructions may be divided into units in FIG. 2.
所述存储器12可用于存储所述计算机可读指令和/或模块,所述处理器13通过运行或执行存储在所述存储器12内的计算机可读指令和/或模块,以及调用存储在存储器12内的数据,实现所述电子设备1的各种功能。所述存储器12可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据电子设备的使用所创建的数据。此外,存储器12可以包括非易失性存储器,例如硬盘、内存、插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、或其他非易失性固态存储器件。The memory 12 may be used to store the computer-readable instructions and/or modules. The processor 13 runs or executes the computer-readable instructions and/or modules stored in the memory 12 and calls the computer-readable instructions and/or modules stored in the memory 12 The data inside realizes various functions of the electronic device 1. The memory 12 may mainly include a storage program area and a storage data area. The storage program area may store an operating system, an application program required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may Store data created based on the use of electronic devices. In addition, the memory 12 may include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a Secure Digital (SD) card, a flash memory card (Flash Card), At least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device.
所述存储器12可以是电子设备1的外部存储器和/或内部存储器。进一步地,所述存储器12可以是集成电路中没有实物形式的具有存储功能的电路,如FIFO(First In First Out,)等。或者,所述存储器12也可以是具有实物形式的存储器,如内存条、TF卡(Trans-flash Card)等等。The memory 12 may be an external memory and/or an internal memory of the electronic device 1. Further, the memory 12 may be a circuit with a storage function that does not have a physical form in an integrated circuit, such as FIFO (First In First Out) and so on. Alternatively, the memory 12 may also be a memory in a physical form, such as a memory stick, a TF card (Trans-flash Card), and so on.
所述电子设备1集成的模块/单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个非易失性计算机可读取存储介质中。基于这样的理解,本申请实现上述实施例方法中的全部或部分流程,也可以通过计算机可读指令来指令相关的硬件来完成,所述的计算机可读指令可存储于一非易失性可读存储介质中,该计算机可读指令在被处理器执行时,可实现上述各个方法实施例的步骤。If the integrated module/unit of the electronic device 1 is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a non-volatile computer readable storage medium. Based on this understanding, this application implements all or part of the processes in the above-mentioned embodiments and methods, and can also be completed by instructing relevant hardware through computer-readable instructions. The computer-readable instructions may be stored in a non-volatile memory. In the storage medium, when the computer-readable instructions are executed by the processor, the steps of the foregoing method embodiments can be implemented.
其中,所述计算机可读指令代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。所述计算机可读介质可以包括:能够携带所述计算机可读指令代码的任何实体或装置、记录介质、U盘、移动硬盘、磁碟、光盘、计算机存储器、只读存储器(ROM,Read-Only Memory)。Wherein, the computer-readable instruction code may be in the form of source code, object code, executable file, or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer-readable instruction code, recording medium, U disk, mobile hard disk, magnetic disk, optical disk, computer memory, read-only memory (ROM, Read-Only Memory).
所述处理器13对上述指令的具体实现方法可参考图1对应实施例中相关步骤的描述,在此不赘述。For the specific implementation method of the above-mentioned instructions by the processor 13, reference may be made to the description of the relevant steps in the embodiment corresponding to FIG. 1, which will not be repeated here.
本申请的范围由所附权利要求而不是上述说明限定,因此旨在将落在权利要求的等同要件的含义和范围内的所有变化涵括在本申请内。不应将权利要求中的任何附关联图标记视为限制所涉及的权利要求。The scope of this application is defined by the appended claims rather than the above description, and therefore it is intended that all changes falling within the meaning and scope of equivalent elements of the claims are included in this application. Any associated diagram marks in the claims should not be regarded as limiting the claims involved.

Claims (20)

  1. 一种基于日志数据分析的行为检测方法,其特征在于,所述方法包括:A behavior detection method based on log data analysis, characterized in that the method includes:
    当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;When a behavior detection instruction is received, the first log data of each functional node of the person to be detected in the preset system is obtained through the burying technique;
    根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次;According to the first log data, calculate the first visit frequency of each functional node of the person to be inspected;
    调取每个功能节点的目标访问频次;Retrieve the target access frequency of each functional node;
    对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;Compare the first visit frequency of each functional node with the target visit frequency of each functional node;
    当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data;
    基于所述访问顺序,建立所述功能节点的第一队列;Based on the access sequence, establishing the first queue of the functional node;
    拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;Splitting the first queue to obtain the first combination of access to the functional node by the person to be tested;
    调取预先配置的基准组合;Retrieve the pre-configured benchmark combination;
    将所述第一组合与所述基准组合进行匹配;Matching the first combination with the reference combination;
    当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。When there is a combination matching failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
  2. 如权利要求1所述的基于日志数据分析的行为检测方法,其特征在于,所述根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次包括:The behavior detection method based on log data analysis according to claim 1, wherein the calculating the first access frequency of each functional node of the person to be detected according to the first log data comprises:
    确定访问每个功能节点时对应的访问标识;Determine the corresponding access identifier when accessing each functional node;
    采用非确定型有穷自动机匹配原理,从所述第一日志数据中识别出每个访问标识;Using the principle of non-deterministic finite automata matching, identify each access identifier from the first log data;
    计算所述单位时间内每个访问标识的个数,得到所述待检测人员对每个功能节点的第一访问频次。Calculate the number of each access identifier in the unit time to obtain the first access frequency of each functional node of the person to be tested.
  3. 如权利要求1所述的基于日志数据分析的行为检测方法,其特征在于,在调取每个功能节点的目标访问频次之前,所述方法还包括:The behavior detection method based on log data analysis according to claim 1, wherein before calling the target access frequency of each functional node, the method further comprises:
    获取至少一个用户访问每个功能节点的第二日志数据;Acquiring second log data of at least one user accessing each functional node;
    根据所述第二日志数据确定所述至少一个用户对每个功能节点进行访问的频次,作为第二访问频次;Determining, according to the second log data, the frequency of visits by the at least one user to each functional node as the second frequency of visits;
    对每个功能节点的第二访问频次进行正态分布处理,得到每个功能节点的正态分布曲线;Perform normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node;
    从所述正态分布曲线中获取满足99.7法则的第三访问频次;Obtain the third access frequency meeting the 99.7 rule from the normal distribution curve;
    将频次最高的第三访问频次确定为所述目标访问频次。The third visit frequency with the highest frequency is determined as the target visit frequency.
  4. 如权利要求1所述的基于日志数据分析的行为检测方法,其特征在于,所述从 所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序包括:The behavior detection method based on log data analysis according to claim 1, wherein the determining from the first log data the access sequence of the person to be detected to the functional node comprises:
    采用机器学习方法从所述第一日志数据中提取所述功能节点的访问时间;Extracting the access time of the functional node from the first log data by using a machine learning method;
    按照所述访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序。The functional nodes are sorted according to the order of the access time to obtain the access sequence of the functional nodes.
  5. 如权利要求3所述的基于日志数据分析的行为检测方法,其特征在于,在调取预先配置的基准组合之前,所述方法还包括:The behavior detection method based on log data analysis according to claim 3, characterized in that, before calling a pre-configured benchmark combination, the method further comprises:
    获取所述至少一个用户访问所述预设系统中每个功能节点的第二日志数据;Acquiring second log data of the at least one user accessing each functional node in the preset system;
    从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列;Extracting the access sequence of the at least one user to the functional node from the second log data;
    获取目标节点数;Get the number of target nodes;
    以所述目标节点数为每个组合的节点个数,依次拆分所述访问序列,得到所述至少一个用户对所述功能节点进行访问的第二组合;Using the number of target nodes as the number of nodes in each combination, split the access sequence in turn to obtain a second combination for the at least one user to access the functional node;
    根据所述第二日志数据,计算所述第二组合中每个第二组合的第二访问频次;Calculating the second access frequency of each second combination in the second combination according to the second log data;
    将所述第二组合按照所述第二访问频次从高到低进行排列,得到第二队列;Arrange the second combination according to the second access frequency from high to low to obtain a second queue;
    对所述第二队列中配置位前的组合进行集成,得到所述目标集合,其中,所述基准组合是以配置节点数为基础,从所述目标集合中调取出的节点个数为所述配置节点数的组合。Integrate the combinations before the configuration bits in the second queue to obtain the target set, wherein the reference combination is based on the number of configured nodes, and the number of nodes transferred from the target set is determined by The combination of the number of configured nodes.
  6. 如权利要求5所述的基于日志数据分析的行为检测方法,其特征在于,所述方法还包括:The behavior detection method based on log data analysis of claim 5, wherein the method further comprises:
    以所述配置节点数为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,得到所述第一组合;Taking the number of configuration nodes as the number of nodes in each combination, split all the functional nodes in the first queue in turn to obtain the first combination;
    若所述第一组合均在所述基准组合中匹配成功,获取所述第一访问频次大于所述目标访问频次的第一功能节点;If the first combination is successfully matched in the reference combination, acquiring the first functional node whose first access frequency is greater than the target access frequency;
    判断所述第一功能节点是否属于目标功能节点,其中,所述目标功能节点对应的数据中含有保密信息;Judging whether the first function node belongs to a target function node, wherein the data corresponding to the target function node contains confidential information;
    当所述第一功能节点属于所述目标功能节点时,确定所述待检测人员的行为异常。When the first functional node belongs to the target functional node, it is determined that the behavior of the person to be detected is abnormal.
  7. 如权利要求1所述的基于日志数据分析的行为检测方法,其特征在于,在确定所述待检测人员的行为异常后,所述方法还包括:The behavior detection method based on log data analysis according to claim 1, wherein after determining that the behavior of the person to be detected is abnormal, the method further comprises:
    从监控设备中获取所述待检测人员的第一人脸信息;Acquiring the first face information of the person to be detected from the monitoring device;
    从所述第一日志数据中提取登入所述预设系统的目标账号;Extracting a target account for logging in to the preset system from the first log data;
    从配置库中调取所述目标账号对应的目标人脸信息;Retrieve the target face information corresponding to the target account from the configuration library;
    采用人脸识别技术判断所述第一人脸信息与所述目标人脸信息是否匹配;Using a face recognition technology to determine whether the first face information matches the target face information;
    当所述第一人脸信息与所述目标人脸信息匹配失败时,控制所述待检测人员对所述目标人脸信息对应的终端设备的访问权限。When the first face information fails to match the target face information, the access authority of the person to be detected to the terminal device corresponding to the target face information is controlled.
  8. 一种基于日志数据分析的行为检测装置,其特征在于,所述装置包括:A behavior detection device based on log data analysis, characterized in that the device includes:
    获取单元,用于当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;The obtaining unit is configured to obtain the first log data of each functional node of the person to be detected in the preset system by using the point burying technique when the behavior detection instruction is received;
    计算单元,用于根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次;A calculation unit, configured to calculate, according to the first log data, the first visit frequency of each functional node of the person to be inspected;
    调取单元,用于调取每个功能节点的目标访问频次;The call unit is used to call the target access frequency of each functional node;
    对比单元,用于对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;The comparison unit is used to compare the first access frequency of each functional node with the target access frequency of each functional node;
    确定单元,用于当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;A determining unit, configured to determine, from the first log data, the order in which the person to be detected visits the functional node when the first visit frequency of the functional node is greater than the target visit frequency;
    建立单元,用于基于所述访问顺序,建立所述功能节点的第一队列;An establishment unit, configured to establish the first queue of the functional node based on the access sequence;
    拆分单元,用于拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;A splitting unit, configured to split the first queue to obtain the first combination for the person to be tested to access the functional node;
    所述调取单元,还用于调取预先配置的基准组合;The retrieving unit is also used to retrieve a pre-configured reference combination;
    匹配单元,用于将所述第一组合与所述基准组合进行匹配;A matching unit, configured to match the first combination with the reference combination;
    所述确定单元,还用于当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。The determining unit is further configured to determine that the behavior of the person to be detected is abnormal when there is a combination matching failure in the first combination.
  9. 一种电子设备,其特征在于,所述电子设备包括:An electronic device, characterized in that, the electronic device includes:
    存储器,存储至少一个计算机可读指令;及The memory stores at least one computer readable instruction; and
    处理器,执行所述至少一个计算机可读指令以实现以下步骤:The processor executes the at least one computer-readable instruction to implement the following steps:
    当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;When a behavior detection instruction is received, the first log data of each functional node of the person to be detected in the preset system is obtained through the burying technique;
    根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次;According to the first log data, calculate the first visit frequency of each functional node of the person to be inspected;
    调取每个功能节点的目标访问频次;Retrieve the target access frequency of each functional node;
    对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;Compare the first visit frequency of each functional node with the target visit frequency of each functional node;
    当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data;
    基于所述访问顺序,建立所述功能节点的第一队列;Based on the access sequence, establishing the first queue of the functional node;
    拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;Splitting the first queue to obtain the first combination of access to the functional node by the person to be tested;
    调取预先配置的基准组合;Retrieve the pre-configured benchmark combination;
    将所述第一组合与所述基准组合进行匹配;Matching the first combination with the reference combination;
    当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。When there is a combination matching failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
  10. 如权利要求9所述的电子设备,其特征在于,所述处理器执行至少一个计算机可读指令以实现所述根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次时,包括以下步骤:The electronic device according to claim 9, wherein the processor executes at least one computer-readable instruction to implement the calculation of the first log data of the person to be tested for each functional node. For a visit frequency, the following steps are included:
    确定访问每个功能节点时对应的访问标识;Determine the corresponding access identifier when accessing each functional node;
    采用非确定型有穷自动机匹配原理,从所述第一日志数据中识别出每个访问标识;Using the principle of non-deterministic finite automata matching, identify each access identifier from the first log data;
    计算所述单位时间内每个访问标识的个数,得到所述待检测人员对每个功能节点的第一访问频次。Calculate the number of each access identifier in the unit time to obtain the first access frequency of each functional node of the person to be tested.
  11. 如权利要求9所述的电子设备,其特征在于,在调取每个功能节点的目标访问频次之前,所述处理器执行至少一个计算机可读指令还用以实现以下步骤:9. The electronic device of claim 9, wherein the processor executes at least one computer-readable instruction before calling the target access frequency of each functional node to implement the following steps:
    获取至少一个用户访问每个功能节点的第二日志数据;Acquiring second log data of at least one user accessing each functional node;
    根据所述第二日志数据确定所述至少一个用户对每个功能节点进行访问的频次,作为第二访问频次;Determining, according to the second log data, the frequency of visits by the at least one user to each functional node as the second frequency of visits;
    对每个功能节点的第二访问频次进行正态分布处理,得到每个功能节点的正态分布曲线;Perform normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node;
    从所述正态分布曲线中获取满足99.7法则的第三访问频次;Obtain the third access frequency meeting the 99.7 rule from the normal distribution curve;
    将频次最高的第三访问频次确定为所述目标访问频次。The third visit frequency with the highest frequency is determined as the target visit frequency.
  12. 如权利要求9所述的电子设备,其特征在于,所述处理器执行至少一个计算机可读指令以实现所述从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序时,包括以下步骤:The electronic device according to claim 9, wherein the processor executes at least one computer-readable instruction to implement the determination from the first log data that the person to be inspected has access to the functional node The sequence includes the following steps:
    采用机器学习方法从所述第一日志数据中提取所述功能节点的访问时间;Extracting the access time of the functional node from the first log data by using a machine learning method;
    按照所述访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序。The functional nodes are sorted according to the order of the access time to obtain the access sequence of the functional nodes.
  13. 如权利要求11所述的电子设备,其特征在于,在调取预先配置的基准组合之前,所述处理器执行至少一个计算机可读指令还用以实现以下步骤:The electronic device according to claim 11, wherein, before the pre-configured reference combination is called, the processor executes at least one computer-readable instruction to further implement the following steps:
    获取所述至少一个用户访问所述预设系统中每个功能节点的第二日志数据;Acquiring second log data of the at least one user accessing each functional node in the preset system;
    从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列;Extracting the access sequence of the at least one user to the functional node from the second log data;
    获取目标节点数;Get the number of target nodes;
    以所述目标节点数为每个组合的节点个数,依次拆分所述访问序列,得到所述至少 一个用户对所述功能节点进行访问的第二组合;Taking the number of target nodes as the number of nodes in each combination, split the access sequence in turn to obtain a second combination for the at least one user to access the functional node;
    根据所述第二日志数据,计算所述第二组合中每个第二组合的第二访问频次;Calculating the second access frequency of each second combination in the second combination according to the second log data;
    将所述第二组合按照所述第二访问频次从高到低进行排列,得到第二队列;Arrange the second combination according to the second access frequency from high to low to obtain a second queue;
    对所述第二队列中配置位前的组合进行集成,得到所述目标集合,其中,所述基准组合是以配置节点数为基础,从所述目标集合中调取出的节点个数为所述配置节点数的组合。Integrate the combinations before the configuration bits in the second queue to obtain the target set, wherein the reference combination is based on the number of configured nodes, and the number of nodes transferred from the target set is determined by The combination of the number of configured nodes.
  14. 如权利要求13所述的电子设备,其特征在于,所述处理器执行至少一个计算机可读指令还用以实现以下步骤:The electronic device of claim 13, wherein the processor executing at least one computer-readable instruction is further used to implement the following steps:
    以所述配置节点数为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,得到所述第一组合;Taking the number of configuration nodes as the number of nodes in each combination, split all the functional nodes in the first queue in turn to obtain the first combination;
    若所述第一组合均在所述基准组合中匹配成功,获取所述第一访问频次大于所述目标访问频次的第一功能节点;If the first combination is successfully matched in the reference combination, acquiring the first functional node whose first access frequency is greater than the target access frequency;
    判断所述第一功能节点是否属于目标功能节点,其中,所述目标功能节点对应的数据中含有保密信息;Judging whether the first function node belongs to a target function node, wherein the data corresponding to the target function node contains confidential information;
    当所述第一功能节点属于所述目标功能节点时,确定所述待检测人员的行为异常。When the first functional node belongs to the target functional node, it is determined that the behavior of the person to be detected is abnormal.
  15. 一种非易失性可读存储介质,其特征在于,所述非易失性可读存储介质中存储有至少一个计算机可读指令,所述至少一个计算机可读指令被电子设备中的处理器执行以实现以下步骤:A non-volatile readable storage medium, wherein the non-volatile readable storage medium stores at least one computer readable instruction, and the at least one computer readable instruction is used by a processor in an electronic device Perform to achieve the following steps:
    当接收到行为检测指令时,通过埋点技术获取待检测人员在预设系统中每个功能节点的第一日志数据;When a behavior detection instruction is received, the first log data of each functional node of the person to be detected in the preset system is obtained through the burying technique;
    根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次;According to the first log data, calculate the first visit frequency of each functional node of the person to be inspected;
    调取每个功能节点的目标访问频次;Retrieve the target access frequency of each functional node;
    对比每个功能节点的第一访问频次与每个功能节点的目标访问频次;Compare the first visit frequency of each functional node with the target visit frequency of each functional node;
    当有功能节点的第一访问频次大于目标访问频次时,从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序;When the first access frequency of the functional node is greater than the target access frequency, determine the access sequence of the person to be tested to the functional node from the first log data;
    基于所述访问顺序,建立所述功能节点的第一队列;Based on the access sequence, establishing the first queue of the functional node;
    拆分所述第一队列,得到所述待检测人员对所述功能节点进行访问的第一组合;Splitting the first queue to obtain the first combination of access to the functional node by the person to be tested;
    调取预先配置的基准组合;Retrieve the pre-configured benchmark combination;
    将所述第一组合与所述基准组合进行匹配;Matching the first combination with the reference combination;
    当在所述第一组合中有组合匹配失败时,确定所述待检测人员的行为异常。When there is a combination matching failure in the first combination, it is determined that the behavior of the person to be detected is abnormal.
  16. 如权利要求15所述的存储介质,其特征在于,所述至少一个计算机可读指令 被处理器执行以实现所述根据所述第一日志数据,计算所述待检测人员对每个功能节点的第一访问频次时,包括以下步骤:The storage medium according to claim 15, wherein the at least one computer-readable instruction is executed by a processor to realize the calculation of the person’s performance of each functional node based on the first log data. For the first visit frequency, the following steps are included:
    确定访问每个功能节点时对应的访问标识;Determine the corresponding access identifier when accessing each functional node;
    采用非确定型有穷自动机匹配原理,从所述第一日志数据中识别出每个访问标识;Using the principle of non-deterministic finite automata matching, identify each access identifier from the first log data;
    计算所述单位时间内每个访问标识的个数,得到所述待检测人员对每个功能节点的第一访问频次。Calculate the number of each access identifier in the unit time to obtain the first access frequency of each functional node of the person to be tested.
  17. 如权利要求15所述的存储介质,其特征在于,在调取每个功能节点的目标访问频次之前,所述至少一个计算机可读指令被处理器执行还用以实现以下步骤:15. The storage medium according to claim 15, wherein the at least one computer-readable instruction is executed by the processor to implement the following steps before the target access frequency of each functional node is called:
    获取至少一个用户访问每个功能节点的第二日志数据;Acquiring second log data of at least one user accessing each functional node;
    根据所述第二日志数据确定所述至少一个用户对每个功能节点进行访问的频次,作为第二访问频次;Determining, according to the second log data, the frequency of visits by the at least one user to each functional node as the second frequency of visits;
    对每个功能节点的第二访问频次进行正态分布处理,得到每个功能节点的正态分布曲线;Perform normal distribution processing on the second access frequency of each functional node to obtain the normal distribution curve of each functional node;
    从所述正态分布曲线中获取满足99.7法则的第三访问频次;Obtain the third access frequency meeting the 99.7 rule from the normal distribution curve;
    将频次最高的第三访问频次确定为所述目标访问频次。The third visit frequency with the highest frequency is determined as the target visit frequency.
  18. 如权利要求15所述的存储介质,其特征在于,所述至少一个计算机可读指令被处理器执行以实现所述从所述第一日志数据中确定所述待检测人员对所述功能节点的访问顺序时,包括以下步骤:The storage medium according to claim 15, wherein the at least one computer-readable instruction is executed by a processor to realize the determination from the first log data that the person to be inspected has an effect on the functional node The sequence of visits includes the following steps:
    采用机器学习方法从所述第一日志数据中提取所述功能节点的访问时间;Extracting the access time of the functional node from the first log data by using a machine learning method;
    按照所述访问时间的先后顺序对所述功能节点进行排序,得到所述功能节点的访问顺序。The functional nodes are sorted according to the order of the access time to obtain the access sequence of the functional nodes.
  19. 如权利要求17所述的存储介质,其特征在于,在调取预先配置的基准组合之前,所述至少一个计算机可读指令被处理器执行还用以实现以下步骤:18. The storage medium of claim 17, wherein the at least one computer readable instruction is executed by the processor to further implement the following steps before the pre-configured reference combination is retrieved:
    获取所述至少一个用户访问所述预设系统中每个功能节点的第二日志数据;Acquiring second log data of the at least one user accessing each functional node in the preset system;
    从所述第二日志数据中提取所述至少一个用户对所述功能节点的访问序列;Extracting the access sequence of the at least one user to the functional node from the second log data;
    获取目标节点数;Get the number of target nodes;
    以所述目标节点数为每个组合的节点个数,依次拆分所述访问序列,得到所述至少一个用户对所述功能节点进行访问的第二组合;Using the number of target nodes as the number of nodes in each combination, split the access sequence in turn to obtain a second combination for the at least one user to access the functional node;
    根据所述第二日志数据,计算所述第二组合中每个第二组合的第二访问频次;Calculating the second access frequency of each second combination in the second combination according to the second log data;
    将所述第二组合按照所述第二访问频次从高到低进行排列,得到第二队列;Arrange the second combination according to the second access frequency from high to low to obtain a second queue;
    对所述第二队列中配置位前的组合进行集成,得到所述目标集合,其中,所述基准 组合是以配置节点数为基础,从所述目标集合中调取出的节点个数为所述配置节点数的组合。Integrate the combinations before the configuration bits in the second queue to obtain the target set, wherein the reference combination is based on the number of configured nodes, and the number of nodes transferred from the target set is determined by The combination of the number of configured nodes.
  20. 如权利要求19所述的存储介质,其特征在于,所述至少一个计算机可读指令被处理器执行还用以实现以下步骤:The storage medium of claim 19, wherein the at least one computer-readable instruction is executed by the processor to further implement the following steps:
    以所述配置节点数为每个组合的节点个数,依次拆分所述第一队列中的所有功能节点,得到所述第一组合;Taking the number of configuration nodes as the number of nodes in each combination, split all the functional nodes in the first queue in turn to obtain the first combination;
    若所述第一组合均在所述基准组合中匹配成功,获取所述第一访问频次大于所述目标访问频次的第一功能节点;If the first combination is successfully matched in the reference combination, acquiring the first functional node whose first access frequency is greater than the target access frequency;
    判断所述第一功能节点是否属于目标功能节点,其中,所述目标功能节点对应的数据中含有保密信息;Judging whether the first function node belongs to a target function node, wherein the data corresponding to the target function node contains confidential information;
    当所述第一功能节点属于所述目标功能节点时,确定所述待检测人员的行为异常。When the first functional node belongs to the target functional node, it is determined that the behavior of the person to be detected is abnormal.
PCT/CN2019/117530 2019-09-23 2019-11-12 Log data analysis-based behavior detection method, apparatus, device, and medium WO2021056731A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910900782.7A CN111221722B (en) 2019-09-23 2019-09-23 Behavior detection method, behavior detection device, electronic equipment and storage medium
CN201910900782.7 2019-09-23

Publications (1)

Publication Number Publication Date
WO2021056731A1 true WO2021056731A1 (en) 2021-04-01

Family

ID=70828939

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/117530 WO2021056731A1 (en) 2019-09-23 2019-11-12 Log data analysis-based behavior detection method, apparatus, device, and medium

Country Status (2)

Country Link
CN (1) CN111221722B (en)
WO (1) WO2021056731A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114640507B (en) * 2022-02-28 2024-03-12 天翼安全科技有限公司 WebShell detection method, webShell detection device and storage medium
CN114650187B (en) * 2022-04-29 2024-02-23 深信服科技股份有限公司 Abnormal access detection method and device, electronic equipment and storage medium
CN115659377B (en) * 2022-12-13 2023-03-31 闪捷信息科技有限公司 Interface abnormal access identification method and device, electronic equipment and storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050216561A1 (en) * 2000-05-02 2005-09-29 International Business Machines Corporation System and method for a computer based cooperative work system
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device
CN107370628A (en) * 2017-08-17 2017-11-21 阿里巴巴集团控股有限公司 Based on the log processing method and system buried a little
CN108055281A (en) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 Account method for detecting abnormality, device, server and storage medium
CN109241711A (en) * 2018-08-22 2019-01-18 平安科技(深圳)有限公司 User behavior recognition method and device based on prediction model
CN109522190A (en) * 2018-10-12 2019-03-26 中国平安人寿保险股份有限公司 Abnormal user Activity recognition method and device, electronic equipment, storage medium

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000148276A (en) * 1998-11-05 2000-05-26 Fujitsu Ltd Device and method for monitoring security and securithy monitoring program recording medium
CN106650433B (en) * 2016-12-15 2018-09-04 咪咕数字传媒有限公司 A kind of anomaly detection method and system
CN107341095B (en) * 2017-06-27 2020-07-28 北京优特捷信息技术有限公司 Method and device for intelligently analyzing log data
CN110019318A (en) * 2017-09-11 2019-07-16 阿里巴巴集团控股有限公司 A kind of log matches processing method, device and electronic equipment
CN109976930A (en) * 2017-12-28 2019-07-05 腾讯科技(深圳)有限公司 Detection method, system and the storage medium of abnormal data
CN108304723A (en) * 2018-01-17 2018-07-20 链家网(北京)科技有限公司 A kind of anomaly detection method and device
CN109688097B (en) * 2018-09-07 2023-03-24 平安科技(深圳)有限公司 Website protection method, website protection device, website protection equipment and storage medium
CN109450879A (en) * 2018-10-25 2019-03-08 中国移动通信集团海南有限公司 User access activity monitoring method, electronic device and computer readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050216561A1 (en) * 2000-05-02 2005-09-29 International Business Machines Corporation System and method for a computer based cooperative work system
CN106027577A (en) * 2016-08-04 2016-10-12 四川无声信息技术有限公司 Exception access behavior detection method and device
CN107370628A (en) * 2017-08-17 2017-11-21 阿里巴巴集团控股有限公司 Based on the log processing method and system buried a little
CN108055281A (en) * 2017-12-27 2018-05-18 百度在线网络技术(北京)有限公司 Account method for detecting abnormality, device, server and storage medium
CN109241711A (en) * 2018-08-22 2019-01-18 平安科技(深圳)有限公司 User behavior recognition method and device based on prediction model
CN109522190A (en) * 2018-10-12 2019-03-26 中国平安人寿保险股份有限公司 Abnormal user Activity recognition method and device, electronic equipment, storage medium

Also Published As

Publication number Publication date
CN111221722B (en) 2024-01-30
CN111221722A (en) 2020-06-02

Similar Documents

Publication Publication Date Title
US11916920B2 (en) Account access security using a distributed ledger and/or a distributed file system
CN110099059B (en) Domain name identification method and device and storage medium
CN111370139B (en) Infectious disease tracing method and device, electronic equipment and storage medium
AU2014237406B2 (en) Method and apparatus for substitution scheme for anonymizing personally identifiable information
WO2021056731A1 (en) Log data analysis-based behavior detection method, apparatus, device, and medium
CN109842628A (en) A kind of anomaly detection method and device
CN111694840A (en) Data synchronization method, device, server and storage medium
CN110119428B (en) Block chain information management method, device, equipment and storage medium
US20180365773A1 (en) Anti-money laundering platform for mining and analyzing data to identify money launderers
CN104956376A (en) Method and technique for application and device control in a virtualized environment
US10915625B2 (en) Graph model for alert interpretation in enterprise security system
US10097569B2 (en) System and method for tracking malware route and behavior for defending against cyberattacks
CN111638908A (en) Interface document generation method and device, electronic equipment and medium
CN107563218A (en) A kind of data desensitization method and Hbase desensitization process systems based on big data
CN111711529B (en) Group operation processing method, device, system, equipment and storage medium
US20200342095A1 (en) Rule generaton apparatus and computer readable medium
CN113259197A (en) Asset detection method and device and electronic equipment
US20240095289A1 (en) Data enrichment systems and methods for abbreviated domain name classification
WO2016095716A1 (en) Fault information processing method and related device
JP6616045B2 (en) Graph-based combination of heterogeneous alerts
JP2019053381A (en) Image processing device, information processing device, method, and program
CN115037790B (en) Abnormal registration identification method, device, equipment and storage medium
KR102367546B1 (en) Hybrid correlation analysis method between heterogeneous using streaming analysis and batch analysis and apparatus thereof
WO2023039973A1 (en) Abnormal false alarm processing method and apparatus, and storage medium and terminal
US11763014B2 (en) Production protection correlation engine

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19946561

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19946561

Country of ref document: EP

Kind code of ref document: A1